-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
JavaScriptJavaScriptMiggo AIRoot Cause AnalysisThe vulnerability, GHSA-x39m-3393-3qp4, allowed for account takeover due to missing authentication on critical functions. The core of the issue was in the UserService.updateUser backend function, which failed to verify the user's current password when updating sensitive information like the password itself or the email address.
On the frontend, the validateAndSubmit function (in the now-removed UserProfile.jsx) and later the saveProfileData function (in account/index.jsx) allowed a user to submit these changes. An attacker with access to a user's session could change the account's email address to one under their control. Subsequently, they could use the password reset mechanism to take over the account. Additionally, the same vulnerable backend endpoint allowed changing the password without providing the old one.
The patch addressed these issues by enforcing password verification. The UserService.updateUser function was modified to require and validate the oldPassword before any password change. The frontend was also refactored to separate profile data changes from security-related changes, and the password change form now correctly requires the old password. The identified functions are the key components that were part of the vulnerable workflow.
UserService.updateUserpackages/server/src/enterprise/services/user.service.ts
validateAndSubmitpackages/ui/src/views/account/UserProfile.jsx
saveProfileDatapackages/ui/src/views/account/index.jsx
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| flowise-ui | npm | < 3.0.10 | 3.0.10 |
Ongoing coverage of React2Shell