Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:npm/flowise-ui@1.4.0-rc.1

Type npm

Namespace

Name flowise-ui

Version 1.4.0-rc.1

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 3.0.10

Latest_non_vulnerable_version 3.0.10

Affected_by_vulnerabilities

url VCID-j3sa-p9az-s7dx

vulnerability_id VCID-j3sa-p9az-s7dx

summary

Flowise doesn't Prevent Bypass of Password Confirmation through Unverified Email Change (credentials)
Unverified Email Change - Email as part of Credential / Unverified Account Recovery Channel Change

The application allows changing the account email address (used as a login identifier and/or password recovery address) without verifying the requester’s authority to make that change (no confirmation to the old email, no authentication step). Because email often functions as a credential or recovery channel, unverified email changes enable attackers to take over accounts by switching the account’s recovery/login address.

references

reference_url

https://github.com/FlowiseAI/Flowise

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FlowiseAI/Flowise

reference_url

https://github.com/FlowiseAI/Flowise/pull/5294

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FlowiseAI/Flowise/pull/5294

reference_url

https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.10

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.10

reference_url

https://github.com/advisories/GHSA-x39m-3393-3qp4

reference_id

GHSA-x39m-3393-3qp4

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-x39m-3393-3qp4

reference_url

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-x39m-3393-3qp4

reference_id

GHSA-x39m-3393-3qp4

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-x39m-3393-3qp4

fixed_packages

url	pkg:npm/flowise-ui@3.0.10
purl	pkg:npm/flowise-ui@3.0.10
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/flowise-ui@3.0.10

aliases GHSA-x39m-3393-3qp4

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-j3sa-p9az-s7dx

url VCID-qf7d-n82s-b7hz

vulnerability_id VCID-qf7d-n82s-b7hz

summary

Flowise does not Prevent Bypass of Password Confirmation - Unverified Password Change
Bypass of Password Confirmation - Unverified Password Change (authenticated change without current password)

An authenticated user is allowed to change their account password without supplying the current password or any additional verification. The application does not verify the actor’s authority to perform that credential change (no current-password check, no authorization enforcement). An attacker who is merely authenticated (or who can trick or coerce an authenticated session) can set a new password and gain control of the account. (ATO - Account Takeover)

references

reference_url

https://github.com/FlowiseAI/Flowise

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FlowiseAI/Flowise

reference_url

https://github.com/FlowiseAI/Flowise/pull/5294

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FlowiseAI/Flowise/pull/5294

reference_url

https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.10

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.10

reference_url

https://github.com/advisories/GHSA-fjh6-8679-9pch

reference_id

GHSA-fjh6-8679-9pch

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-fjh6-8679-9pch

reference_url

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-fjh6-8679-9pch

reference_id

GHSA-fjh6-8679-9pch

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-fjh6-8679-9pch

fixed_packages

url	pkg:npm/flowise-ui@3.0.10
purl	pkg:npm/flowise-ui@3.0.10
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/flowise-ui@3.0.10

aliases GHSA-fjh6-8679-9pch

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qf7d-n82s-b7hz

Fixing_vulnerabilities

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:npm/flowise-ui@1.4.0-rc.1

Package Instance