CVE-2024-36421

Name of the Vulnerable Software and Affected Versions Flowise version 1.4.3

Description The issue is related to a CORS misconfiguration in Flowise, where the Access-Control-Allow-Origin header is set to allow all origins, enabling arbitrary origins to connect to the website. This could allow unauthorized access to user information. Additionally, this misconfiguration may be exploited in conjunction with path injection to read arbitrary files from the Flowise server.

Recommendations For version 1.4.3, as a temporary workaround, consider restricting access to the Flowise interface to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.