CVE-2025-55737

Medium CVSS: 6.9

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when deleting a comment, there's no validation of the ownership of the comment. Every user can delete an arbitrary comment of another user on every post, by simply intercepting the delete request and changing the commentID. The code that causes the problem is in routes/post.py.

Vendor

Dogukanurker

Product

Flaskblog

CWE

CWE-639

Yayın Tarihi

2025-08-19 20:15:35

Güncelleme

2025-08-21 18:40:41

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-639 Flaskblog MEDIUM Dogukanurker 2025

Referanslar

https://github.com/DogukanUrker/FlaskBlog/security/advisories/GHSA-6hp9-jv2f-88wr

Benzer Kayıtlar

Medium

CVE-2025-55734

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, the code checks if the userRole is "admin" only when vis…

Medium

CVE-2025-55735

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when creating a post, there's no validation of the conte…

Critical

CVE-2025-55736

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, an arbitrary user can change his role to "admin", giving…

Medium

CVE-2025-53631

flaskBlog is a blog app built with Flask. In versions 2.8.1 and prior, improper sanitization of postContent when submitt…

Medium

CVE-2025-28103

Incorrect access control in laskBlog v2.6.1 allows attackers to arbitrarily delete user accounts via a crafted request.

Critical

CVE-2025-28104

Incorrect access control in laskBlog v2.6.1 allows attackers to access all usernames via a crafted input.