GHSA-5H9V-837X-M97R FlowiseAI: Dataset create+update mass-assignment allows cross-workspace dataset takeover

Summary Type: Mass assignment via Object.assignentity, body - client-controlled workspaceId and on create, id overwritten on the Dataset entity - cross-workspace data takeover and IDOR. File: packages/server/src/services/dataset/index.ts Root cause: The Dataset controller/service constructs a new...

FlowiseAI: Dataset create+update mass-assignment allows cross-workspace dataset takeover

Summary Type: Mass assignment via Object.assignentity, body - client-controlled workspaceId and on create, id overwritten on the Dataset entity - cross-workspace data takeover and IDOR. File: packages/server/src/services/dataset/index.ts Root cause: The Dataset controller/service constructs a new...

NPM: FlowiseAI: Dataset create+update mass-assignment allows cross-workspace dataset takeover

NPM: FlowiseAI: Dataset create+update mass-assignment allows cross-workspace dataset takeover vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes through improper handling of the Object.assign process in the dataset service. An attacker can gain unauthorized access to...

FlowiseAI: CustomTemplate create+update mass-assignment allows cross-workspace template takeover

Summary Type: Mass assignment via Object.assignentity, body - client-controlled workspaceId and on create, id overwritten on the CustomTemplate entity - cross-workspace data takeover and IDOR. File: packages/server/src/services/marketplaces/index.ts Root cause: The CustomTemplate controller/servi...

NPM: FlowiseAI: CustomTemplate create+update mass-assignment allows cross-workspace template takeover

NPM: FlowiseAI: CustomTemplate create+update mass-assignment allows cross-workspace template takeover vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in the Object.assign process. An attacker can gain unauthorized access to and control over resources belonging to other...

GHSA-728H-4MWJ-F2P4 FlowiseAI: CustomTemplate create+update mass-assignment allows cross-workspace template takeover

Summary Type: Mass assignment via Object.assignentity, body - client-controlled workspaceId and on create, id overwritten on the CustomTemplate entity - cross-workspace data takeover and IDOR. File: packages/server/src/services/marketplaces/index.ts Root cause: The CustomTemplate controller/servi...

NPM: FlowiseAI: Assistant create+update mass-assignment allows cross-workspace assistant takeover

NPM: FlowiseAI: Assistant create+update mass-assignment allows cross-workspace assistant takeover vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...

FlowiseAI: Assistant create+update mass-assignment allows cross-workspace assistant takeover

Summary Type: Mass assignment via Object.assignentity, body - client-controlled workspaceId and on create, id overwritten on the Assistant entity - cross-workspace data takeover and IDOR. File: packages/server/src/services/assistants/index.ts Root cause: The Assistant controller/service construct...

GHSA-78PR-C5X5-JGGC FlowiseAI: Assistant create+update mass-assignment allows cross-workspace assistant takeover

Summary Type: Mass assignment via Object.assignentity, body - client-controlled workspaceId and on create, id overwritten on the Assistant entity - cross-workspace data takeover and IDOR. File: packages/server/src/services/assistants/index.ts Root cause: The Assistant controller/service construct...

NPM: FlowiseAI has Mass Assignment in Assistant Update Endpoint that Allows Cross-Workspace Resource Reassignment

NPM: FlowiseAI has Mass Assignment in Assistant Update Endpoint that Allows Cross-Workspace Resource Reassignment vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...

FlowiseAI has Mass Assignment in Assistant Update Endpoint that Allows Cross-Workspace Resource Reassignment

Summary A Mass Assignment vulnerability exists in the assistant update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating an assistant resource. Due to missing server-side validation...

GHSA-HP26-Q66V-Q2W7 FlowiseAI has Mass Assignment in Assistant Update Endpoint that Allows Cross-Workspace Resource Reassignment

Summary A Mass Assignment vulnerability exists in the assistant update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating an assistant resource. Due to missing server-side validation...

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes over the /api/v1/chatflows endpoint. A user can gain unauthorized access to and modify sensitive attributes, such as deployment...

GHSA-5WXP-QJGQ-FX6M FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment

Summary A Mass Assignment vulnerability exists in the chatflow update endpoint of FlowiseAI. The endpoint allows clients to modify server-controlled properties such as deployed, isPublic, workspaceId, createdDate, and updatedDate when updating a chatflow object. Due to missing server-side...

NPM: FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment

NPM: FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...

FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment

Summary A Mass Assignment vulnerability exists in the chatflow update endpoint of FlowiseAI. The endpoint allows clients to modify server-controlled properties such as deployed, isPublic, workspaceId, createdDate, and updatedDate when updating a chatflow object. Due to missing server-side...

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the /api/v1/tools endpoint when the server fails to validate and restrict client-supplied fields in the request body. An...

NPM: FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment

NPM: FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...