{
  "schema_version": "1.4.0",
  "id": "GHSA-fxq4-r6mr-9x64",
  "modified": "2021-04-08T16:45:47Z",
  "published": "2021-04-08T16:46:00Z",
  "aliases": [],
  "summary": "CSRF Vuln can expose user's QRcode",
  "details": "### Impact\nWhen a user is setting up two-factor authentication using an authenticator app, a QRcode is generated and made available via a GET request to /tf-qrcode. Since GETs do not have any CSRF protection, it is possible a malicious 3rd party could access the QRcode and therefore gain access to two-factor authentication codes. Note that the /tf-qrcode endpoint is ONLY accessible while the user is initially setting up their device. Once setup is complete, there is no vulnerability.\n\n### Patches\nThis is fixed in the upcoming 4.0.0 release.\n\n### Workarounds\nYou can provide your own URL for fetching the QRcode by defining SECURITY_TWO_FACTOR_QRCODE_URL and providing your own implementation (that presumably required a POST with CSRF protection). This would require changing the two-factor setup template as well.\n\n### References\nNone.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Read this pull request: #423",
  "severity": [],
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Flask-Security-Too"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "3.2.0"
            },
            {
              "fixed": "3.4.5"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-fxq4-r6mr-9x64"
    },
    {
      "type": "WEB",
      "url": "https://pypi.org/project/Flask-Security-Too"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-08T16:45:47Z",
    "nvd_published_at": null
  }
}