Plattform
nodejs
Komponente
flowise-embed
Behoben in
2.1.1
2.0.0
CVE-2024-9148 describes a Stored Cross-Site Scripting (XSS) vulnerability affecting Flowise Embed versions prior to 2.0.0, and consequently Flowise versions before 2.1.1. This vulnerability arises from a lack of proper input sanitization within Flowise Chat Embed, allowing attackers to inject malicious scripts. Successful exploitation could lead to unauthorized access, data theft, and session hijacking, impacting users interacting with Flowise applications.
The XSS vulnerability in Flowise Embed allows an attacker to inject arbitrary JavaScript code into the application. This code can then be executed in the context of a victim's browser when they interact with a vulnerable Flowise application. An attacker could leverage this to steal sensitive information like session cookies, user credentials, or even redirect users to malicious websites. The impact is particularly severe because the vulnerability is 'stored,' meaning the malicious script persists on the server and can affect multiple users over time. This contrasts with reflected XSS, which requires an attacker to trick a user into clicking a malicious link. The potential for widespread impact and data compromise makes this a high-priority vulnerability.
CVE-2024-9148 was publicly disclosed on 2024-09-25. As of this writing, there are no known public exploits or active campaigns targeting this vulnerability. The CVSS score of 9.6 (CRITICAL) indicates a high probability of exploitation if the vulnerability remains unpatched. It is not currently listed on CISA KEV. The availability of a fix (version 2.0.0) significantly reduces the risk, but diligent patching is essential.
Websites and applications that integrate Flowise Chat Embed versions prior to 2.0.0 are at risk. This includes developers who have directly included the package in their projects, as well as users of platforms or services that utilize Flowise Chat Embed without proper security controls. Shared hosting environments where multiple websites share the same server infrastructure are particularly vulnerable, as a compromise of one website could potentially affect others.
• nodejs / supply-chain:
npm list flowise-embedIf the version is less than 2.1.1, the system is vulnerable. • generic web: Inspect the Flowise Chat Embed integration for any unusual JavaScript behavior or unexpected redirects. Examine the source code for any user-controlled input that is not properly sanitized before being rendered. • generic web: Review access logs for suspicious requests containing JavaScript payloads targeting the chat embed functionality.
disclosure
Exploit-Status
EPSS
1.93% (83% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-9148 is to immediately upgrade Flowise Embed to version 2.0.0 or later, which contains the necessary input sanitization fixes. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter potentially malicious input based on common XSS patterns. Carefully review and sanitize all user-supplied input before rendering it in the application. Regularly scan your Flowise deployments for vulnerabilities using automated security tools. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload (e.g., <script>alert('XSS')</script>) into a Flowise Chat Embed field and verifying that it is properly sanitized and does not execute.
Aktualisieren Sie Flowise auf Version 2.1.1 oder höher. Diese Version enthält die Korrektur für die gespeicherte XSS-Schwachstelle. Stellen Sie sicher, dass alle Benutzereingaben validiert und bereinigt werden, um zukünftige Angriffe zu verhindern.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-9148 is a critical XSS vulnerability in the flowise-embed Node.js package, affecting versions less than 2.1.1 and Flowise Chat Embed versions before 2.0.0, due to insufficient input sanitization.
You are affected if you are using flowise-embed versions less than 2.1.1 or Flowise Chat Embed versions before 2.0.0 in your Node.js project.
Upgrade to version 2.0.0 or later of Flowise Chat Embed and flowise-embed. Implement input validation and output encoding as a temporary mitigation.
There is currently no confirmed active exploitation, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the flowise-embed project's repository and related security advisories for the latest information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.