CVE-2023-33175 — toui allows user-specific variables to be shared between users

Description

### Impact Websites that use `Website.user_vars` property in versions. ### Patches It affects versions v2.0.1 to v2.4.0. Please upgrade to v2.4.1 ### Workarounds Do not use `Website.user_vars` in websites when using versions v2.0.1 to v2.4.0. Also, do not use `Website.signin_user()` in version v2.4.0 only. ### Explanation ToUI is using Flask-Caching (SimpleCache) to store user variables. My misunderstanding was that these caches are stored in the client's browser, but it seems that these are stored in the server side.

How to fix CVE-2023-33175

To remediate CVE-2023-33175, upgrade the affected package to a fixed version below.

—upgrade to 2.4.1 or later

Is CVE-2023-33175 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 2.0.1, < 2.4.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-33175
PATCHgithub.com/mubarakalmehairbi/ToUI
WEBgithub.com/mubarakalmehairbi/ToUI/releases/tag/v2.4.1
WEBgithub.com/mubarakalmehairbi/ToUI/security/advisories/GHSA-hh7j-pg39-q563