flaskBlog Access Control Vulnerability Allowing Arbitrary Account Deletion

An access control vulnerability in flaskBlog version 2.6.1 enables attackers to delete user accounts arbitrarily by sending a crafted request. The issue arises because the application does not properly validate usernames before deletion, allowing for the manipulation of account names to target specific users, including administrative accounts.

Impact

Exploitation of this vulnerability allows for the arbitrary deletion of user accounts, including admin accounts.

Reproduction

To reproduce this vulnerability, register an account and then modify the username to 'admiN' or create a new account with that name. Afterward, send a request to delete the account named 'admiN'. The request will be processed, and the admin account will be deleted.

Remediation

Update the account deletion logic to ensure it does not delete accounts based on lowercase username matches. This vulnerability has been addressed in flaskBlog version 2.6.2.