CVE-2024-37146

Name of the Vulnerable Software and Affected Versions Flowise version 1.4.3

Description A reflected cross-site scripting issue occurs in the "/api/v1/credentials/id" endpoint. If the default configuration is used, an attacker may craft a specially crafted URL to inject Javascript into user sessions, allowing information theft, false popups, or redirects to other websites. The chatflow ID value is reflected in the 404 page, enabling attackers to attach arbitrary scripts and steal sensitive information. This issue may be chained with path injection to read arbitrary files from the Flowise server.

Recommendations For version 1.4.3, as a temporary workaround, consider disabling access to the "/api/v1/credentials/id" endpoint until a patch is available. Restrict the use of the chatflow ID parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.