Flowise Discloses Reflected Cross-Site Scripting Vulnerability
CVE-2024-37145

6.1MEDIUM

Key Information:

Vendor: Flowiseai
Status: Flowise
Vendor: CVE Published:; 1 July 2024

What is CVE-2024-37145?

In Flowise version 1.4.3, a vulnerability exists in the '/api/v1/chatflows-streaming/id' endpoint that can lead to reflected cross-site scripting (XSS) attacks. This vulnerability is present when default configurations are maintained, permitting unauthenticated access. An attacker can formulate a specially crafted URL to inject malicious JavaScript into user sessions, which might result in the theft of sensitive information, the creation of misleading popups, or redirects to other malicious sites without any user interaction. Noticeably, if the specified chatflow ID is invalid, it gets reflected on the 404 error page, which is served with an HTML content type. This allows an attacker to attach arbitrary scripts to the response, further facilitating the stealing of sensitive data. Additionally, this XSS vulnerability can be combined with path injection techniques, granting attackers the ability to access arbitrary files on the Flowise server without any direct access. Currently, there are no available patches for this issue.

Affected Version(s)

Flowise <= 1.4.3

References

https://securitylab.github.com/advisories/GHSL-2023-232_G...

x_refsource_CONFIRM

https://github.com/FlowiseAI/Flowise/blob/flowise-ui%401....

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jul 1, 2024
Vulnerability Reserved
Jun 3, 2024

Flowiseai

What is CVE-2024-37145?

Affected Version(s)

References

CVSS V3.1

Timeline