CVE-2025-55736

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, an arbitrary user can change his role to "admin", giving its relative privileges (e.g. delete users, posts, comments etc.). The problem is in the routes/adminPanelUsers file.

CVSS

No CVSS.

References

Link	Resource
https://github.com/DogukanUrker/FlaskBlog/security/advisories/GHSA-6q83-vfmq-wf72

Configurations

No configuration.

History

20 Aug 2025, 14:40

Type	Values Removed	Values Added
Summary		(es) flaskBlog es una aplicación de blog desarrollada con Flask. En la versión 2.8.0 y anteriores, cualquier usuario podía cambiar su rol a "admin", otorgándole privilegios relativos (por ejemplo, eliminar usuarios, publicaciones, comentarios, etc.). El problema está en el archivo route/adminPanelUsers.

19 Aug 2025, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-19 19:15

Updated : 2025-08-20 14:40

NVD link : CVE-2025-55736

Mitre link : CVE-2025-55736

CVE.ORG link : CVE-2025-55736

JSON object : View

Products Affected

No product.

CWE

CWE-425

Direct Request ('Forced Browsing')

CWE-807

Reliance on Untrusted Inputs in a Security Decision

{"id": "CVE-2025-55736", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-19T19:15:37.837", "references": [{"url": "https://github.com/DogukanUrker/FlaskBlog/security/advisories/GHSA-6q83-vfmq-wf72", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-425"}, {"lang": "en", "value": "CWE-807"}]}], "descriptions": [{"lang": "en", "value": "flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, an arbitrary user can change his role to \"admin\", giving its relative privileges (e.g. delete users, posts, comments etc.). The problem is in the routes/adminPanelUsers file."}, {"lang": "es", "value": "flaskBlog es una aplicaci\u00f3n de blog desarrollada con Flask. En la versi\u00f3n 2.8.0 y anteriores, cualquier usuario pod\u00eda cambiar su rol a \"admin\", otorg\u00e1ndole privilegios relativos (por ejemplo, eliminar usuarios, publicaciones, comentarios, etc.). El problema est\u00e1 en el archivo route/adminPanelUsers."}], "lastModified": "2025-08-20T14:40:17.713", "sourceIdentifier": "security-advisories@github.com"}