CVE-2023-33175: 
Python vulnerability analysis and mitigation

ToUI, a Python package for creating user interfaces (websites and desktop apps) from HTML, was found to have a critical vulnerability (CVE-2023-33175) affecting versions 2.0.1 to 2.4.0. The vulnerability was discovered and disclosed in May 2023, specifically impacting websites that use the Website.user_vars property (GitHub Advisory).

The vulnerability stems from ToUI's implementation of Flask-Caching (SimpleCache) for storing user variables. The core issue was a misunderstanding in the caching mechanism, where user variables were being stored server-side rather than in the client's browser as intended. This implementation received a CVSS v3.1 base score of 9.1 CRITICAL from GitHub, and 7.5 HIGH from NVD, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability results in user-specific variables being shared between different users of the affected applications, potentially leading to unauthorized access to user data and privacy breaches. This affects any website implementing the Website.user_vars property in the vulnerable versions (GitHub Advisory).

The vulnerability has been patched in version 2.4.1. Users are strongly advised to upgrade to this version. For those unable to upgrade immediately, the recommended workaround is to avoid using Website.uservars in websites when running versions 2.0.1 to 2.4.0. Additionally, Website.signinuser() should not be used specifically in version 2.4.0 (GitHub Release).