dpgaspar Flask-AppBuilder 4.5.3

CPE Details

dpgaspar Flask-AppBuilder 4.5.3
dpgaspar
flask-appbuilder
4.5.3
2025-03-13
10h43 +00:00
2025-03-13
10h43 +00:00
CPE NVD
Alerte pour un CPE
Stay informed of any changes for a specific CPE.
Notifications manage

CPE Name: cpe:2.3:a:dpgaspar:flask-appbuilder:4.5.3:*:*:*:*:*:*:*

Informations

Vendor

dpgaspar

Product

flask-appbuilder

Version

4.5.3

Related CVE

Open and find in CVE List

CVE ID Published Description Score Severity
CVE-2025-58065 2025-09-11 17h55 +00:00 Flask-AppBuilder is an application development framework. Prior to version 4.8.1, when Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains registered and accessible, despite not being displayed in the user interface. This allows an enabled user to reset their password and be able to create JWT tokens even after the user is disabled on the authentication provider. Users should upgrade to Flask-AppBuilder version 4.8.1 or later to receive a fix. If immediate upgrade is not possible, manually disable password reset routes in the application configuration; implement additional access controls at the web server or proxy level to block access to the reset my password URL; and/or monitor for suspicious password reset attempts from disabled accounts.
6.5
Medium
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.