CVE-2021-32618

Name of the Vulnerable Software and Affected Versions Flask-Security-Too versions 3.0.0 and later

Description The issue allows redirects after successful views, such as /login, by honoring the ?next query param. The validation check utilizes Python's urlsplit library to ensure the URL specified in the next parameter is either relative or has the same netloc as the requesting URL. However, many browsers are lenient and 'fill in the blanks' when presented with a possibly incomplete URL. For example, setting http://login?next=github.com will pass the relative URL check, but many browsers will convert this to http://github.com, allowing an attacker to send a link to an unwitting user and have it redirect to any site they want. This is considered a low severity issue due to Werkzeug's default behavior of ensuring absolute Location headers, which mitigates the attack vector.

Recommendations To resolve the issue, ensure that the default Location header setting is used when employing Werkzeug. If this is not possible, use @app.after request and implement custom validation of the Location header if it is set. At the moment, there is no information about a newer version that contains a fix for this vulnerability.