CORS Misconfiguration in Flowise Allows Arbitrary Origins to Access Sensitive Information
CVE-2024-36421

7.5HIGH

Key Information:

Vendor: Flowiseai
Status: Flowise
Vendor: CVE Published:; 1 July 2024

What is CVE-2024-36421?

In Flowise version 1.4.3, a CORS misconfiguration allows the Access-Control-Allow-Origin header to accept requests from any origin. This vulnerability poses a significant risk as unauthenticated users can potentially make requests to the application, enabling them to steal sensitive information from users. Furthermore, this misconfiguration can be exploited alongside path injection techniques, allowing attackers without direct access to Flowise to read arbitrary files stored on the server. Current knowledge indicates that no patches are available to address this issue at the time of reporting.

Affected Version(s)

Flowise <= 1.4.3

References

https://securitylab.github.com/advisories/GHSL-2023-232_G...

x_refsource_CONFIRM

https://github.com/FlowiseAI/Flowise/blob/e93ce07851cdc0f...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 1, 2024
Vulnerability Reserved
May 27, 2024

Flowiseai

What is CVE-2024-36421?

Affected Version(s)

References

CVSS V3.1

Timeline