CVE-2024-22417: Flask Send File User Mimetype

A user-controlled value is used as the MIME type in `send_file`. If the content being sent is fetched from an attacker-controlled external source without validation, this can lead to XSS.

Provally CuratedPublic repositoryHighMedium confidenceVerifiedApache-2.0

Python

greprules fetch cve-2024-22417-flask-send-file-user-mimetype --engine opengrep

Description

A user-controlled value is used as the MIME type in `send_file`. If the content being sent is fetched from an attacker-controlled external source without validation, this can lead to XSS.

License: Apache-2.0
Source context: Public repository
Source: Provally CVE rule catalog
Validation status: Verified
Quality signals: 135 downloads
0 direct135 via packs
· 0 stars · Quality score 77How quality works
Included packs: 2 packs

Community feedback

0 signals from signed-in users.

Useful: 0
False positive: 0
Metadata: 0