CVE-2024-27083: Flask-AppBuilder is an application development framework, built on top of Flask. A Cross-Site Scripting (XSS) vulnerability has been discovered on the...

Description

Flask-AppBuilder is an application development framework, built on top of Flask. A Cross-Site Scripting (XSS) vulnerability has been discovered on the OAuth login page. An attacker could trick a user to follow a specially crafted URL to the OAuth login page. This URL could inject and execute malicious javascript code that would get executed on the user's browser. This issue was introduced on 4.1.4 and patched on 4.2.1.

Metrics

CVSS 3.1

6.1/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS Probability

0.57%

42.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Dpgaspar	Flask-Appbuilder	>= 4.1.4, < 4.2.1

References

Timeline

Published: Feb 29, 2024
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2024-27083?

Flask-AppBuilder is an application development framework, built on top of Flask. A Cross-Site Scripting (XSS) vulnerability has been discovered on the OAuth login page. An attacker could trick a user to follow a specially crafted URL to the OAuth login page. This URL could inject and execute malicious javascript code that would get executed on the user's browser. This issue was introduced on 4.1.4 and patched on 4.2.1.

How severe is CVE-2024-27083?

CVE-2024-27083 has a CVSS score of 6.1/10 (MEDIUM severity). The EPSS model estimates a 0.57% probability of exploitation in the next 30 days.

How do I fix CVE-2024-27083?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.