GHSA-4xff-r326-4qv2HighCVSS 8.3
Flowise before 3.0.10 (affected versions 3.0.7 and earlier) contains an unverified email change...
🔗 CVE IDs covered (1)
📋 Description
Flowise before 3.0.10 (affected versions 3.0.7 and earlier) contains an unverified email change vulnerability. An authenticated user can change the account email address, used as a login identifier and password-recovery channel, via the account profile endpoint without confirming the change to the original email address or re-entering the current password. By changing the recovery email, an attacker can take over the account and abuse password reset mechanisms.