Lucene search

CVE-2024-37146

🗓️ 01 Jul 2024 19:04:15Reported by GitHub_MType

cve🔗 web.nvd.nist.gov👁 71 Views🌐 WEB

Flowise version 1.4.3 reflects cross-site scripting vulnerability in the /api/v1/credentials/id endpoint, allowing unauthenticated attackers to inject Javascript, steal information, and read arbitrary files

AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Reporter	Title	Published	Views	Family All 7
Cvelist	CVE-2024-37146 GHSL-2023-248: Flowise xss in /api/v1/credentials/id	1 Jul 202418:25	–	cvelist
Vulnrichment	CVE-2024-37146 GHSL-2023-248: Flowise xss in /api/v1/credentials/id	1 Jul 202418:25	–	vulnrichment
Github Security Blog	Flowise Cross-site Scripting in/api/v1/credentials/id	5 Aug 202421:29	–	github
NVD	CVE-2024-37146	1 Jul 202419:15	–	nvd
OSV	GHSA-WXM4-9F8P-GGGV Flowise Cross-site Scripting in/api/v1/credentials/id	5 Aug 202421:29	–	osv
OSV	CVE-2024-37146	1 Jul 202419:15	–	osv
Veracode	Cross-Site Scripting (XSS)	3 Jul 202406:00	–	veracode

Nvd

Vulners

Node

flowiseai flowiseRange≤1.4.3

[
  {
    "vendor": "FlowiseAI",
    "product": "Flowise",
    "versions": [
      {
        "version": "<= 1.4.3",
        "status": "affected"
      }
    ]
  }
]

Source	Link
securitylab	www.securitylab.github.com/advisories/GHSL-2023-232_GHSL-2023-234_Flowise/
github	www.github.com/FlowiseAI/Flowise/blob/flowise-ui%401.4.0/packages/server/src/index.ts

Parameter	Position	Path	Description	CWE
chatflow_id	query param	/api/v1/credentials/id	Reflected cross-site scripting vulnerability allowing injection of malicious scripts via specially crafted URLs.	CWE-79

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo

01 Jul 2024 19:15Current

6.2Medium risk

Vulners AI Score6.2

CVSS36.1

EPSS0.00054

SSVC

CWE-79