flask-cors

vulnerable: 1.0 ... 0.0.0.dev4 (42 versions)

An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.

vulnerable: 0.0.0.dev3 ... 4.0.0a0 (46 versions)

corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. An attacker can inject fake log entries into the log file by sending a specially crafted GET request containing a CRLF sequence in the request path. …

vulnerable: 1.0 ... 0.0.0.dev4 (47 versions)

A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default. This behavior can expose private network resources to unauthorized external access, leading…

vulnerable: 0.0.0.dev3 ... 5.0.1 (50 versions)

A vulnerability in corydolphin/flask-cors version 4.0.1 allows for inconsistent CORS matching due to the handling of the '+' character in URL paths. The request.path is passed through the unquote_plus function, which converts the '+' chara…

vulnerable: 0.0.0.dev3 ... 5.0.1 (50 versions)

corydolphin/flask-cors version 4.01 contains a vulnerability where the request path matching is case-insensitive due to the use of the `try_match` function, which is originally intended for matching hosts. This results in a mismatch becaus…