6.5 CVE-2025-55734
Exploit
flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, the code checks if the userRole is "admin" only when visiting the /admin page, but not when visiting its subroutes. Specifically, only the file routes/adminPanel.py checks the user role when a user is trying to access the admin page, but that control is not done for the pages routes/adminPanelComments.py and routes/adminPanelPosts.py. Thus, an unauthorized user can bypass the intended restrictions, leaking sensitive data and accessing the following pages: /admin/posts, /adminpanel/posts, /admin/comments, and /adminpanel/comments.
https://nvd.nist.gov/vuln/detail/CVE-2025-55734
Categories
CWE-862
References
security-advisories@github.com Exploit
| https://github.com/DogukanUrker/FlaskBlog/security/advisories/GHSA-h239-vv39-... Exploit Third Party Advisory |
| https://github.com/DogukanUrker/FlaskBlog/security/advisories/GHSA-jw79-2xvp-... Exploit Third Party Advisory |
CPE
| cpe | start | end |
|---|---|---|
| Configuration 1 | ||
| cpe:2.3:a:dogukanurker:flaskblog:*:*:*:*:*:*:*:* | <= 2.8.0 | |
REMEDIATION
EXPLOITS
Exploit-db.com
| id | description | date | |
|---|---|---|---|
| No known exploits | |||
POC Github
| Url |
|---|
Other Nist (github, ...)
| Url |
|---|
| https://github.com/DogukanUrker/FlaskBlog/security/advisories/GHSA-h239-vv39-... |
| https://github.com/DogukanUrker/FlaskBlog/security/advisories/GHSA-jw79-2xvp-... |
CAPEC
Common Attack Pattern Enumerations and Classifications
| id | description | severity |
|---|---|---|
| No entry | ||
Cybersecurity needs ?
Strengthen software security from the outset with our DevSecOps expertise
Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.
