Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/898176?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/898176?format=api", "purl": "pkg:npm/flowise-ui@1.2.6", "type": "npm", "namespace": "", "name": "flowise-ui", "version": "1.2.6", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "3.0.10", "latest_non_vulnerable_version": "3.0.10", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/48380?format=api", "vulnerability_id": "VCID-j3sa-p9az-s7dx", "summary": "Flowise doesn't Prevent Bypass of Password Confirmation through Unverified Email Change (credentials)\nUnverified Email Change - Email as part of Credential / Unverified Account Recovery Channel Change\n\nThe application allows changing the account email address (used as a login identifier and/or password recovery address) without verifying the requester’s authority to make that change (no confirmation to the old email, no authentication step). Because email often functions as a credential or recovery channel, unverified email changes enable attackers to take over accounts by switching the account’s recovery/login address.", "references": [ { "reference_url": "https://github.com/FlowiseAI/Flowise", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FlowiseAI/Flowise" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/pull/5294", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FlowiseAI/Flowise/pull/5294" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.10", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.10" }, { "reference_url": "https://github.com/advisories/GHSA-x39m-3393-3qp4", "reference_id": "GHSA-x39m-3393-3qp4", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-x39m-3393-3qp4" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-x39m-3393-3qp4", "reference_id": "GHSA-x39m-3393-3qp4", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-x39m-3393-3qp4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/71414?format=api", "purl": "pkg:npm/flowise-ui@3.0.10", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/flowise-ui@3.0.10" } ], "aliases": [ "GHSA-x39m-3393-3qp4" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j3sa-p9az-s7dx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/48379?format=api", "vulnerability_id": "VCID-qf7d-n82s-b7hz", "summary": "Flowise does not Prevent Bypass of Password Confirmation - Unverified Password Change\nBypass of Password Confirmation - Unverified Password Change (authenticated change without current password)\n\nAn authenticated user is allowed to change their account password without supplying the current password or any additional verification. The application does not verify the actor’s authority to perform that credential change (no current-password check, no authorization enforcement). An attacker who is merely authenticated (or who can trick or coerce an authenticated session) can set a new password and gain control of the account. (ATO - Account Takeover)", "references": [ { "reference_url": "https://github.com/FlowiseAI/Flowise", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FlowiseAI/Flowise" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/pull/5294", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FlowiseAI/Flowise/pull/5294" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.10", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.10" }, { "reference_url": "https://github.com/advisories/GHSA-fjh6-8679-9pch", "reference_id": "GHSA-fjh6-8679-9pch", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fjh6-8679-9pch" }, { "reference_url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-fjh6-8679-9pch", "reference_id": "GHSA-fjh6-8679-9pch", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-fjh6-8679-9pch" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/71414?format=api", "purl": "pkg:npm/flowise-ui@3.0.10", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/flowise-ui@3.0.10" } ], "aliases": [ "GHSA-fjh6-8679-9pch" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qf7d-n82s-b7hz" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/flowise-ui@1.2.6" }