User Impersonation

Affecting shiftboiler package, versions [,0.6.5)

Overview

shiftboiler is a setup of flask framework integrated with a number of libraries to quickly bootstrap app development.

Affected versions of this package are vulnerable to User Impersonation attack. If the google login did not return an id, a malicious user could takeover another user's account.

Remediation

Upgrade shiftboiler to version 0.6.5 or higher.

References

Do your applications use this vulnerable package?

CVSS Score

3.9
low severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    High
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
Credit
Unknown
CWE
CWE-520
Snyk ID
SNYK-PYTHON-SHIFTBOILER-72558
Disclosed
09 Oct, 2018
Published
04 Nov, 2018