{"package":"Flask-User","ecosystem":"pypi","latest_version":"1.0.2.2","description":"Customizable User Authentication & User Management: Register, Confirm, Login, Change username/password, Forgot password and more.","license":"MIT","license_risk":"permissive","commercial_use_notes":"Permissive: commercial closed-source use OK; preserve the copyright notice.","homepage":"https://github.com/lingthio/Flask-User","repository":"https://github.com/lingthio/Flask-User","downloads_weekly":1517,"health":{"score":46,"risk":"high","breakdown":{"maintenance":0,"popularity":6,"security":23,"maturity":15,"community":2},"deprecated":false,"max_score":100},"vulnerabilities":{"count":2,"critical":0,"high":0,"medium":1,"low":1,"details":[{"vuln_id":"CVE-2021-23401","severity":"medium","summary":"Open Redirect in Flask-User","affected_versions":"<=1.0.2.2|=0.3|=0.3.1|=0.3.2|=0.3.3|=0.3.4|=0.3.5|=0.3.6|=0.3.7|=0.3.8|=0.4.0|=0.4.1|=0.4.2|=0.4.3|=0.4.4|=0.4.5|=0.4.6|=0.4.7|=0.4.8|=0.4.9|=0.5.0|=0.5.1|=0.5.2|=0.5.3|=0.5.4|=0.5.5|=0.6|=0.6.1|=0.6.10|=0.6.12|=0.6.13|=0.6.14|=0.6.15|=0.6.16|=0.6.17|=0.6.19|=0.6.2|=0.6.20|=0.6.21|=0.6.3|=0.6.4|=0.6.5|=0.6.6|=0.6.7|=0.6.8|=0.6.9|=1.0.1.1|=1.0.1.2|=1.0.1.3|=1.0.1.4|=1.0.1.5|=1.0.2.0|=1.0.2.1|=1.0.2.2","fixed_version":null,"source":"osv","published_at":"2021-08-09T20:44:32Z","in_kev":false,"epss_prob":0.00265,"epss_percentile":0.49934,"threat_tier":"theoretical"},{"vuln_id":"CVE-2021-23401","severity":"unknown","summary":"This affects all versions of package Flask-User. When using the make_safe_url function, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as /////evil.com/path or \\\\\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behaviour of Werkzeug is modified using 'autocorrect_location_header=False.","affected_versions":"=0.3|=0.3.1|=0.3.2|=0.3.3|=0.3.4|=0.3.5|=0.3.6|=0.3.7|=0.3.8|=0.4.0|=0.4.1|=0.4.2|=0.4.3|=0.4.4|=0.4.5|=0.4.6|=0.4.7|=0.4.8|=0.4.9|=0.5.0|=0.5.1|=0.5.2|=0.5.3|=0.5.4|=0.5.5|=0.6|=0.6.1|=0.6.10|=0.6.12|=0.6.13|=0.6.14|=0.6.15|=0.6.16|=0.6.17|=0.6.19|=0.6.2|=0.6.20|=0.6.21|=0.6.3|=0.6.4|=0.6.5|=0.6.6|=0.6.7|=0.6.8|=0.6.9|=1.0.1.1|=1.0.1.2|=1.0.1.3|=1.0.1.4|=1.0.1.5|=1.0.2.0|=1.0.2.1|=1.0.2.2","fixed_version":null,"source":"osv","published_at":"2021-07-05T11:15:00Z","in_kev":false,"epss_prob":0.00265,"epss_percentile":0.49934,"threat_tier":"theoretical"}],"actively_exploited_count":0,"likely_exploited_count":0},"versions":{"latest":"1.0.2.2","total_count":53,"recent":["0.6.8","0.6.9","0.6.10","0.6.12","0.6.13","0.6.14","0.6.15","0.6.16","0.6.17","0.6.19","0.6.20","0.6.21","1.0.1.1","1.0.1.2","1.0.1.3","1.0.1.4","1.0.1.5","1.0.2.0","1.0.2.1","1.0.2.2"]},"metadata":{"deprecated":false,"deprecated_message":null,"maintainers_count":1,"first_published":null,"last_published":"2019-11-30T11:59:14.701911Z","dependencies_count":0,"dependencies":[]},"github_stats":null,"bundle":null,"typescript":null,"known_issues":{"bugs_count":0,"bugs_severity":{},"status_breakdown":{},"link":null,"scope":"none"},"historical_compromise":null,"recommendation":{"action":"safe_to_use","issues":[],"use_version":"1.0.2.2","version_hint":null,"summary":"Flask-User@1.0.2.2 is safe to use (health: 46/100)"},"version_scoped":null,"requested_version":null,"_cache":"hit","_response_ms":0,"_powered_by":"depscope.dev — free package intelligence for AI agents","typosquat":{"is_suspected":false},"maintainer_trust":{"available":false},"malicious":{"is_malicious":false},"scorecard":{"available":false},"quality":{"available":false},"version_history_summary":{"total_versions":20,"first_release_age_days":null,"last_release_days_ago":2344,"avg_days_between_releases":null,"release_velocity":"stale"}}