cvedb.io
CVE-2021-32618
LOW · CVSS 3.1
EPSS exploitation probability: 0%
Published 2021-05-17T18:15:08.123 · Last modified 2026-06-17T03:53:16.967

Summary

The Python "Flask-Security-Too" package is used for adding security features to your Flask application. It is an is an independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. All versions of Flask-Security-Too allow redirects after many successful views (e.g. /login) by honoring the ?next query param. There is code in FS to validate that the url specified in the next parameter is either relative OR has the same netloc (network location) as the requesting URL. This check utilizes Pythons urlsplit library. However many browsers are very lenient on the kind of URL they accept and 'fill in the blanks' when presented with a possibly incomplete URL. As a concrete example - setting http://login?next=\\\github.com will pass FS's relative URL check however m

Affected products

flask-security_project — flask-security

Does this affect you?

Add your gear to cvedb and we'll alert you only when flask-security_project ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.