Flask-AppBuilder vulnerable to possible disclosure of sensitive information on user error
Moderate severity
GitHub Reviewed
Published
Jun 22, 2023
in
dpgaspar/Flask-AppBuilder
•
Updated Nov 18, 2024
Description
Published to the GitHub Advisory Database
Jun 22, 2023
Reviewed
Jun 22, 2023
Published by the National Vulnerability Database
Jun 22, 2023
Last updated
Nov 18, 2024
Impact
An authenticated malicious actor with Admin privileges, could by adding a special character on the add, edit User forms trigger a database error, this error is surfaced back to this actor on the UI. On certain database engines this error can include the entire user row including the pbkdf2:sha256 hashed password.
Patches
Fixed on 4.3.2
References