CVE-2025-55734

CVSS v4.0

6.9

Medium

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions: flaskBlog versions 2.8.0 and earlier

Description: The application checks the userRole for "admin" privileges only when accessing the /admin page, but not its subroutes. Specifically, the check is performed in routes/adminPanel.py, but not in routes/adminPanelComments.py and routes/adminPanelPosts.py. This allows unauthorized users to bypass access restrictions and access sensitive data on the following pages: /admin/posts, /adminpanel/posts, /admin/comments, and /adminpanel/comments.

Recommendations: flaskBlog versions prior to 2.8.0: Implement role-based access control checks for all subroutes of the /admin page, including routes/adminPanelComments.py and routes/adminPanelPosts.py, to ensure that only authorized users can access these pages.

Exploit

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2025-55734

GHSA-H239-VV39-V3VX

GHSA-JW79-2XVP-76P8

Affected Products

Flaskblog

CVE-2025-55734

Weakness Enumeration

Related Identifiers

Affected Products

References · 8