Описание
flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when deleting a comment, there's no validation of the ownership of the comment. Every user can delete an arbitrary comment of another user on every post, by simply intercepting the delete request and changing the commentID. The code that causes the problem is in routes/post.py.
Ссылки
- ExploitThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 2.8.0 (включая)
cpe:2.3:a:dogukanurker:flaskblog:*:*:*:*:*:*:*:*
EPSS
Процентиль: 23%
0.00075
Низкий
6.5 Medium
CVSS3
Дефекты
CWE-639
EPSS
Процентиль: 23%
0.00075
Низкий
6.5 Medium
CVSS3
Дефекты
CWE-639