ГлавнаяУязвимости → CVE-2025-71337
8.3высокая

CVE-2025-71337

Описание

Flowise before 3.0.10 (affected versions 3.0.7 and earlier) contains an unverified email change vulnerability. An authenticated user can change the account email address, used as a login identifier and password-recovery channel, via the account profile endpoint without confirming the change to the original email address or re-entering the current password. By changing the recovery email, an attacker can take over the account and abuse password reset mechanisms.

Затрагиваемое ПО
Flowiseai Flowise
CVSS
Балл8.3 — высокая
ВекторCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Источники
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-x39m-3393-3qp4https://www.vulncheck.com/advisories/flowise-unverified-email-change-via-account-profile-endpointhttps://github.com/FlowiseAI/Flowise/security/advisories/GHSA-x39m-3393-3qp4