Agentflow from Flowring Technology has an Account Lockout Bypass vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to perform password brute force attack.
The system does not implement an effective account lockout mechanism after a specified number of failed login attempts (missing or bypassed Account Lockout policy). An unauthenticated remote attacker, without any privileges and without user interaction, can send an unlimited number of login requests with different password combinations. The lack of attempt restrictions allows for automated testing of large password sets until the correct one is found.
An attacker can guess the password of any user in the system and take control of their account, gaining access to sensitive data and Agentflow system functions. Depending on the privileges of the compromised account, it is possible to violate the confidentiality, integrity, and availability of the system.
Apply patches available from the manufacturer in accordance with references published by TWCERT/CC at: https://www.twcert.org.tw/en/cp-139-10090-112f7-2.html and https://www.twcert.org.tw/tw/cp-132-10091-12462-1.html. Additionally, until the fix is implemented, it is recommended to restrict access to the login interface at the network level (firewall, VPN) and implement external mechanisms to limit login attempts (e.g., WAF, reverse proxy with rate limiting).
Flowring Agentflow — versions specified in the manufacturer's references (TWCERT/CC)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HFlowring Agentflow
APPFlowring4.0
Related vulnerabilities
Pomijanie uwierzytelnienia w Flowring Agentflow — przejęcie tokenu dowolnego użytkownika
Flowring Agentflow — brak uwierzytelnienia umożliwia manipulację bazą danych
The file upload function of Agentflow BPM has insufficient filtering for special characters in URLs. An unauth...
Agentflow developed by Flowring has an Arbitrary File Upload vulnerability, allowing authenticated remote atta...
Agentflow BPM enterprise management system has improper authentication. A remote attacker with general user pr...