PT-2023-24682 · Pypi · Flask-Appbuilder
Msegoviag
·
Published
2023-06-22
·
Updated
2025-12-02
·
CVE-2023-34110
CVSS v4.0
5.1
Medium
| Vector | AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Flask-AppBuilder versions prior to 4.3.2
Description
An authenticated malicious actor with Admin privileges could trigger a database error by adding a special character on the add or edit User forms. This error can be surfaced back to the actor on the UI and, on certain database engines, may include the entire user row, including the
pbkdf2:sha256 hashed password.Recommendations
For versions prior to 4.3.2, update to version 4.3.2 to resolve the issue. As a temporary workaround, consider restricting access to the add and edit User forms for users with Admin privileges until the update is applied.
Exploit
Fix
Generation of Error Message Containing Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Flask-Appbuilder