CVE-2024-9148
CRITICAL9.6EPSS 1.9%Flowise and Flowise Chat Embed vulnerable to Stored Cross-site Scripting
Published: 9/25/2024Modified: 9/30/2024
Description
Flowise < 2.1.1 suffers from a Stored Cross-Site vulnerability due to a lack of input sanitization in Flowise Chat Embed < 2.0.0.
Affected packages (2)
- npm/flowisefrom 0, < 2.1.1
- npm/flowise-embedfrom 0, < 2.0.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P |
| osv | CVSS 3.1 | CRITICAL9.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-9148
- PATCHhttps://github.com/FlowiseAI/FlowiseChatEmbed
- WEBhttps://github.com/FlowiseAI/FlowiseChatEmbed/commit/6a9645df41371cb69f251038d501ec87b1304c84
- WEBhttps://github.com/FlowiseAI/FlowiseChatEmbed/releases/tag/flowise-embed%402.0.0
- WEBhttps://github.com/FlowiseAI/Flowise/commit/8375ebb4ec1ebb2b1295561cc0f63486a29f3fde
- WEBhttps://github.com/FlowiseAI/Flowise/releases/tag/flowise%402.1.1
- WEBhttps://www.tenable.com/security/research/tra-2024-40