{"id":"PYSEC-2023-248","details":"An open redirect vulnerability in the python package Flask-Security-Too \u003c=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes.","aliases":["CVE-2023-49438","GHSA-672h-6x89-76m5"],"modified":"2024-01-17T11:56:34.854068Z","published":"2023-12-26T22:15:00Z","references":[{"type":"WEB","url":"https://github.com/Flask-Middleware/flask-security"},{"type":"WEB","url":"https://github.com/brandon-t-elliott/CVE-2023-49438"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6HCYH377TPUMUHELPI36PDS2ZM4VFIXM/"}],"affected":[{"package":{"name":"flask-security-too","ecosystem":"PyPI","purl":"pkg:pypi/flask-security-too"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.3.3"}]}],"versions":["3.0.1","3.0.1rc1","3.0.1rc2","3.0.1rc3","3.0.2","3.1.0rc1","3.2.0","3.2.0rc1","3.2.0rc3","3.2.0rc4","3.3.0","3.3.0rc1","3.3.0rc2","3.3.0rc3","3.3.1","3.3.2","3.3.3","3.4.0","3.4.1","3.4.2","3.4.3","3.4.4","3.4.5","4.0.0","4.0.0rc1","4.0.0rc2","4.0.1","4.1.0","4.1.1","4.1.2","4.1.3","4.1.4","4.1.5","4.1.6","5.0.0","5.0.1","5.0.2","5.1.0","5.1.1","5.1.2","5.2.0","5.3.0","5.3.1","5.3.2"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/flask-security-too/PYSEC-2023-248.yaml"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}