CVE-2025-55734 Information

Aug 20, 2025 cve

Description

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier the code checks if the userRole is dmin\ only when visiting the /admin page but not when visiting its subroutes. Specifically only the file routes/adminPanel.py checks the user role when a user is trying to access the admin page but that control is not done for the pages routes/adminPanelComments.py and routes/adminPanelPosts.py. Thus an unauthorized user can bypass the intended restrictions leaking sensitive data and accessing the following pages: /admin/posts /adminpanel/posts /admin/comments and /adminpanel/comments.

Reference

https://github.com/DogukanUrker/FlaskBlog/security/advisories/GHSA-h239-vv39-v3vx https://github.com/DogukanUrker/FlaskBlog/security/advisories/GHSA-jw79-2xvp-76p8

CNNVD-202508-2207 (Published: 2025-08-19)

Share on:

CVE-2025-55734 Information

Description

Reference

Related CNNVD