CVE-2023-33175: toui allows user-specific variables to be shared between users

May 30, 2023 (updated June 7, 2023)

Impact

Websites that use Website.user_vars property in versions.

Patches

It affects versions v2.0.1 to v2.4.0. Please upgrade to v2.4.1

Workarounds

Do not use Website.user_vars in websites when using versions v2.0.1 to v2.4.0. Also, do not use Website.signin_user() in version v2.4.0 only.

Explanation

ToUI is using Flask-Caching (SimpleCache) to store user variables. My misunderstanding was that these caches are stored in the client’s browser, but it seems that these are stored in the server side.

References

github.com/advisories/GHSA-hh7j-pg39-q563
github.com/mubarakalmehairbi/ToUI/releases/tag/v2.4.1
github.com/mubarakalmehairbi/ToUI/security/advisories/GHSA-hh7j-pg39-q563

Code Behaviors & Features

Detect and mitigate CVE-2023-33175 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →