CVE-2025-55734
BaseFortify
Publication date: 2025-08-19
Last updated on: 2025-08-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dogukanurker | flaskblog | to 2.8.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in flaskBlog versions 2.8.0 and earlier, where the application only checks if a user has the 'admin' role when accessing the /admin page itself, but not when accessing its subroutes such as /admin/posts or /admin/comments. Because the user role check is missing on these subroutes, unauthorized users can bypass access restrictions and view sensitive admin pages that they should not have access to.
How can this vulnerability impact me? :
An attacker or unauthorized user can exploit this vulnerability to access sensitive administrative pages and data without proper authorization. This can lead to leakage of sensitive information and unauthorized actions within the admin sections of the flaskBlog application.