CVE-2023-33175
toui allows user-specific variables to be shared between users
9.1
CRITICAL
CVSS 3.1
EPSS 0.70%
描述
### Impact Websites that use `Website.user_vars` property in versions. ### Patches It affects versions v2.0.1 to v2.4.0. Please upgrade to v2.4.1 ### Workarounds Do not use `Website.user_vars` in websites when using versions v2.0.1 to v2.4.0. Also, do not use `Website.signin_user()` in version v2.4.0 only. ### Explanation ToUI is using Flask-Caching (SimpleCache) to store user variables. My misunderstanding was that these caches are stored in the client's browser, but it seems that these are stored in the server side.
如何修補 CVE-2023-33175
要修補 CVE-2023-33175,請將受影響套件升級到下列已修補版本。
- —升級至 2.4.1 或更新版本
CVE-2023-33175 正在被利用嗎?
低 — EPSS 為 0.7%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- >= 2.0.1, < 2.4.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |