CVE-2021-23393

Name of the Vulnerable Software and Affected Versions Flask-Unchained versions prior to 0.9.0

Description The issue allows bypassing URL validation and redirecting a user to an arbitrary URL by providing multiple back slashes, such as evil.com/path, when using the validate redirect url function. This is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behavior of Werkzeug is modified using autocorrect location header=False.

Recommendations For versions prior to 0.9.0, update to version 0.9.0 or later to resolve the issue. As a temporary workaround, consider modifying the default behavior of Werkzeug by setting autocorrect location header=True to minimize the risk of exploitation. Restrict the use of alternative WSGI servers other than Werkzeug until the issue is resolved.