Description
Flowise before 3.0.10 (affected versions 3.0.7 and earlier) fails to invalidate existing sessions and session tokens after a user changes their password. An attacker who already holds an active session, for example via a stolen session token or a device left logged in, remains authenticated as the legitimate user even after the user rotates their credentials, undermining the security purpose of the password change.
Problem types
Insufficient Session Expiration
Product status
Any version before 3.0.10
3.0.10 (semver)
Credits
mbiesiad
References
github.com/...lowise/security/advisories/GHSA-x7rp-qj2h-ghgw (GitHub Security Advisory (GHSA-x7rp-qj2h-ghgw))
www.vulncheck.com/...alidation-failure-after-password-change (VulnCheck Advisory: Flowise - Session Invalidation Failure After Password Change)