U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Pallets Flask
  • Search Type: Search All
  • CPE Name Search: false
There are 6 matching records.
Displaying matches 1 through 6.
Vuln ID Summary CVSS Severity

The package whoogle-search before 0.7.2 are vulnerable to Cross-site Scripting (XSS) via the query string parameter q. In the case where it does not contain the http string, it is used to build the error_message that is then rendered in the error.html template, using the [flask.render_template](https://flask.palletsprojects.com/en/2.1.x/api/flask.render_template) function. However, the error_message is rendered using the [| safe filter](https://jinja.palletsprojects.com/en/3.1.x/templates/working-with-automatic-escaping), meaning the user input is not escaped.

Published: July 12, 2022; 11:15:09 AM -0400
V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM

** DISPUTED ** The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: a third party indicates that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision.

Published: May 13, 2021; 7:15:07 PM -0400
V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH

Open redirect vulnerability in werkzeug before 0.11.6 via a double slash in the URL.

Published: November 18, 2020; 10:15:12 AM -0500
V3.1: 6.1 MEDIUM
V2.0: 5.8 MEDIUM

The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656.

Published: July 17, 2019; 10:15:11 AM -0400
V3.0: 7.5 HIGH
V2.0: 5.0 MEDIUM

The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.

Published: August 20, 2018; 3:31:45 PM -0400
V3.0: 7.5 HIGH
V2.0: 5.0 MEDIUM

Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werkzeug before 0.11.11 (as used in Pallets Flask and other products) allows remote attackers to inject arbitrary web script or HTML via a field that contains an exception message.

Published: October 23, 2017; 12:29:00 PM -0400
V3.0: 6.1 MEDIUM
V2.0: 4.3 MEDIUM