MEDIUM🇵🇱 Wersja polska

CVE-2025-55737

CVSS 6.9v4.0pub. 2025-08-19upd. 2025-08-21

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when deleting a comment, there's no validation of the ownership of the comment. Every user can delete an arbitrary comment of another user on every post, by simply intercepting the delete request and changing the commentID. The code that causes the problem is in routes/post.py.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Dogukanurker Flaskblog

    APP
    Dogukanurker
    ≤ 2.8.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-55736CRITICAL9.3PL ✓ten sam produkt

FlaskBlog: nieuprawniona eskalacja uprawnień do roli administratora

CVE-2025-28104CRITICAL9.1PL ✓ten sam produkt

Nieprawidłowa kontrola dostępu w FlaskBlog — ujawnienie nazw użytkowników

CVE-2025-55734MEDIUM6.9ten sam produkt

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, the code checks if the userRole is "admin" onl...

CVE-2025-55735MEDIUM5.3ten sam produkt

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when creating a post, there's no validation of...

CVE-2025-53631MEDIUM5.3ten sam produkt

flaskBlog is a blog app built with Flask. In versions 2.8.1 and prior, improper sanitization of postContent wh...