CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2023-30861 – Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header
https://notcve.org/view.php?id=CVE-2023-30861
02 May 2023 — Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client's `session` cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met. 1. • https://github.com/JawadPy/CVE-2023-30861-Exploit • CWE-488: Exposure of Data Element to Wrong Session CWE-539: Use of Persistent Cookies Containing Sensitive Information •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-1010083
https://notcve.org/view.php?id=CVE-2019-1010083
17 Jul 2019 — The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656. • https://www.palletsprojects.com/blog/flask-1-0-released •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2018-1000656 – python-flask: Denial of Service via crafted JSON file
https://notcve.org/view.php?id=CVE-2018-1000656
20 Aug 2018 — The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083. Flask de The Pallets Project en versiones anteriores a la 0.12.3 contiene una vulnerabilidad CWE-20: Validación de entr... • https://github.com/pallets/flask/pull/2691 • CWE-20: Improper Input Validation •