Primary

Context

flaskBlog Authorization Bypass Vulnerability in Admin Subroutes

Vulnerability

An authorization bypass vulnerability has been identified in flaskBlog versions through 2.8.0. The issue arises because user roles are only checked when accessing the main '/admin' page, not its subroutes. This oversight allows unauthorized users to access sensitive data and bypass intended restrictions on pages related to posts and comments administration.

Impact

Exploitation of this vulnerability allows unauthorized users to access admin subroutes for managing posts and comments, bypassing normal authorization checks.

Reproduction

To reproduce this vulnerability, log in as a user without admin privileges and attempt to access any of the following admin subroutes: '/admin/posts', '/adminpanel/posts', '/admin/comments', or '/adminpanel/comments'. The absence of a user role check on these subroutes will allow access, despite not having the necessary admin rights.

Remediation

Implement a user role check for all admin subroutes to ensure that only authorized users can access them.

Added: Aug 19, 2025, 7:20 PM

Updated: Aug 19, 2025, 7:20 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

5.0

exploitability

9.7

remediation

0.0

relevance

0.4

threat

6.4

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

5.0

exploitability

9.7

remediation

0.0

relevance

0.4

threat

6.4

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

flaskBlog Authorization Bypass Vulnerability in Admin Subroutes

Vulnerability

Impact

Reproduction

Remediation

Affected Products

DogukanUrker flaskBlog

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating