漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Flowise - Session Hijacking via Weak Default Express Session Secret
Vulnerability Description
Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses a weak hardcoded default secret ('flowise') for the express-session middleware when the EXPRESS_SESSION_SECRET environment variable is not set (packages/server/src/enterprise/middleware/passport/index.ts). Because this default secret is publicly visible in the source code, an attacker can forge valid signed session cookies to impersonate any user and bypass authentication.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Vulnerability Type
使用硬编码的凭证
Vulnerability Title
FlowiseAI Flowise 信任管理问题漏洞
Vulnerability Description
FlowiseAI Flowise是FlowiseAI公司开源的一个用于轻松构建 LLM 应用程序的工具。 FlowiseAI Flowise 3.1.0之前版本存在信任管理问题漏洞,该漏洞源于对express-session中间件使用了弱硬编码默认密钥,可能导致攻击者伪造有效签名会话Cookie,冒充任意用户绕过身份验证。
CVSS Information
N/A
Vulnerability Type
N/A