CVE-2025-55734

Medium CVSS: 6.9

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, the code checks if the userRole is "admin" only when visiting the /admin page, but not when visiting its subroutes. Specifically, only the file routes/adminPanel.py checks the user role when a user is trying to access the admin page, but that control is not done for the pages routes/adminPanelComments.py and routes/adminPanelPosts.py. Thus, an unauthorized user can bypass the intended restrictions, leaking sensitive data and accessing the following pages: /admin/posts, /adminpanel/posts, /admin/comments, and /adminpanel/comments.

Vendor

Dogukanurker

Product

Flaskblog

CWE

CWE-862

Yayın Tarihi

2025-08-19 19:15:37

Güncelleme

2025-08-22 20:58:55

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-862 Flaskblog MEDIUM Dogukanurker 2025

Referanslar

https://github.com/DogukanUrker/FlaskBlog/security/advisories/GHSA-h239-vv39-v3vx https://github.com/DogukanUrker/FlaskBlog/security/advisories/GHSA-jw79-2xvp-76p8

Benzer Kayıtlar

Medium

CVE-2025-55737

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when deleting a comment, there's no validation of the ow…

Medium

CVE-2025-55735

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when creating a post, there's no validation of the conte…

Critical

CVE-2025-55736

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, an arbitrary user can change his role to "admin", giving…

Medium

CVE-2025-53631

flaskBlog is a blog app built with Flask. In versions 2.8.1 and prior, improper sanitization of postContent when submitt…

Medium

CVE-2025-28103

Incorrect access control in laskBlog v2.6.1 allows attackers to arbitrarily delete user accounts via a crafted request.

Critical

CVE-2025-28104

Incorrect access control in laskBlog v2.6.1 allows attackers to access all usernames via a crafted input.