CVE-2023-33175

toui allows user-specific variables to be shared between users in pypi/toui

Identifiers

CVE-2023-33175, GHSA-hh7j-pg39-q563

Package Slug

pypi/toui

Vulnerability

toui allows user-specific variables to be shared between users

Description

Impact

Websites that use Website.user_vars property in versions.

Patches

It affects versions v2.0.1 to v2.4.0. Please upgrade to v2.4.1

Workarounds

Do not use Website.user_vars in websites when using versions v2.0.1 to v2.4.0. Also, do not use Website.signin_user() in version v2.4.0 only.

Explanation

ToUI is using Flask-Caching (SimpleCache) to store user variables. My misunderstanding was that these caches are stored in the client's browser, but it seems that these are stored in the server side.

Affected Versions

All versions starting from 2.0.1 before 2.4.1

Solution

Upgrade to version 2.4.1 or above.

Last Modified

2023-05-25

source