Login Sign Up

CVE-2024-36423

6.1 MEDIUM
Cross-Site Scripting

📋 TL;DR

Flowise version 1.4.3 has a reflected cross-site scripting vulnerability in the /api/v1/public-chatflows/id endpoint that allows attackers to inject malicious JavaScript via crafted URLs. This can lead to session hijacking, data theft, or file reading when chained with path injection. Organizations using Flowise with default unauthenticated configurations are affected.

💻 Affected Systems

Products:
  • Flowise
Versions: 1.4.3 (specifically mentioned), likely earlier versions with similar code
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Default configuration with unauthenticated access makes exploitation easier.

📦 What is this software?

Flowise by Flowiseai

View all CVEs affecting Flowise →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal sensitive data, read arbitrary files from the server, and compromise user sessions through malicious redirects or popups.

🟠

Likely Case

Session hijacking and data exfiltration from users who click malicious links, potentially leading to credential theft.

🟢

If Mitigated

Limited impact with proper input validation, output encoding, and authentication enabled.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires crafting malicious URLs but is straightforward with default settings.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Monitor Flowise GitHub repository for updates.

🔧 Temporary Workarounds

Enable Authentication

all

Configure Flowise to require authentication, preventing unauthenticated access to vulnerable endpoints.

Configure authentication in Flowise settings (specific commands depend on deployment method)

Input Validation and Output Encoding

all

Implement server-side validation of chatflow IDs and encode outputs to prevent script injection.

Modify server code to sanitize input and encode output in the affected endpoint

🧯 If You Can't Patch

  • Restrict network access to Flowise instances to trusted users only.
  • Implement a web application firewall (WAF) with XSS protection rules.

🔍 How to Verify

Check if Vulnerable:

Test by accessing /api/v1/public-chatflows/<script>alert('XSS')</script> and checking if script executes in 404 page.

Check Version:

Check Flowise version in package.json or via application interface.

Verify Fix Applied:

Verify that malicious input in the chatflow ID parameter is properly sanitized and does not execute.

📡 Detection & Monitoring

Log Indicators:

  • Unusual requests to /api/v1/public-chatflows/ with script-like patterns in parameters

Network Indicators:

  • HTTP 404 responses containing reflected user input with script tags

SIEM Query:

source="flowise" AND url="/api/v1/public-chatflows/*" AND (status=404 OR contains(input, "<script>"))

📊 Metadata

CVE ID: CVE-2024-36423
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: July 1, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36423, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)