CVE-2024-36422

Name of the Vulnerable Software and Affected Versions Flowise version 1.4.3

Description A reflected cross-site scripting issue occurs in the "api/v1/chatflows/id" endpoint of Flowise. This allows an attacker to craft a specially crafted URL that injects Javascript into user sessions, potentially stealing information, creating false popups, or redirecting users to other websites. If the chatflow ID is not found, its value is reflected in the 404 page, enabling an attacker to attach arbitrary scripts and steal sensitive information. This issue may be chained with path injection to read arbitrary files from the Flowise server.

Recommendations For version 1.4.3, as a temporary workaround, consider disabling the api/v1/chatflows/id endpoint until a patch is available. Restrict access to this endpoint to minimize the risk of exploitation. Avoid using the id parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.