An issue exists in Flask-CORS (aka CORS Middleware for Flask) prior to 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
flask-cors project flask-cors |
||
debian debian linux 10.0 |
||
opensuse leap 15.1 |
||
opensuse backports sle 15.0 |
||
opensuse leap 15.2 |