CVE-2024-37146

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the `/api/v1/credentials/id` endpoint. If the default configuration is used (unauthenticated), an attacker may be able to craft a specially crafted URL that injects Javascript into the user sessions, allowing the attacker to steal information, create false popups, or even redirect the user to other websites without interaction. If the chatflow ID is not found, its value is reflected in the 404 page, which has type text/html. This allows an attacker to attach arbitrary scripts to the page, allowing an attacker to steal sensitive information. This XSS may be chained with the path injection to allow an attacker without direct access to Flowise to read arbitrary files from the Flowise server. As of time of publication, no known patches are available.
Configurations

Configuration 1 (hide)

cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*

History

21 Aug 2024, 14:38

Type Values Removed Values Added
References () https://github.com/FlowiseAI/Flowise/blob/flowise-ui%401.4.0/packages/server/src/index.ts#L545-L545 - () https://github.com/FlowiseAI/Flowise/blob/flowise-ui%401.4.0/packages/server/src/index.ts#L545-L545 - Product
References () https://securitylab.github.com/advisories/GHSL-2023-232_GHSL-2023-234_Flowise/ - () https://securitylab.github.com/advisories/GHSL-2023-232_GHSL-2023-234_Flowise/ - Exploit, Third Party Advisory
CPE cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*
First Time Flowiseai flowise
Flowiseai

02 Jul 2024, 12:09

Type Values Removed Values Added
Summary
  • (es) Flowise es una interfaz de usuario de arrastrar y soltar para crear un flujo de modelo de lenguaje grande personalizado. En la versión 1.4.3 de Flowise, se produce una vulnerabilidad de cross-site scripting reflejado en el endpoint `/api/v1/credentials/id`. Si se utiliza la configuración predeterminada (no autenticada), un atacante puede crear una URL especialmente manipulada que inyecta Javascript en las sesiones del usuario, lo que le permite robar información, crear ventanas emergentes falsas o incluso redirigir al usuario a otros sitios web sin interacción. Si no se encuentra el ID del flujo de chat, su valor se refleja en la página 404, que tiene el tipo texto/html. Esto permite a un atacante adjuntar scripts arbitrarios a la página, lo que le permite robar información confidencial. Este XSS puede encadenarse con la inyección de ruta para permitir que un atacante sin acceso directo a Flowise lea archivos arbitrarios del servidor Flowise. Al momento de la publicación, no hay parches conocidos disponibles.

01 Jul 2024, 19:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-01 19:15

Updated : 2024-08-21 14:38


NVD link : CVE-2024-37146

Mitre link : CVE-2024-37146

CVE.ORG link : CVE-2024-37146


JSON object : View

Products Affected

flowiseai

  • flowise
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')