3 matches found
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the Object.assign function. An attacker can manipulate internal entity fields such as id, createdDate, and chatId by...
Arbitrary File Upload
Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Arbitrary File Upload via the /api/v1/attachments/:chatflowId/:chatId endpoint, which allows unauthenticated file uploads by trusting the client-supplied MIME type without verifying the actual file content ...
Access Control Bypass
Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Access Control Bypass in the middleware that processes requests to /api/v1 endpoints. An attacker can gain unauthorized access to internal administration APIs by spoofing the x-request-from header as...