Flowise Stored Cross-Site Scripting Vulnerability in Chat Log

A stored cross-site scripting vulnerability has been identified in Flowise versions prior to 3.0.5. This issue allows an attacker to inject malicious HTML into the chat log, which is then executed when an admin views the log. The vulnerability arises because the chat log improperly sanitizes FORM and INPUT elements, enabling the injection of harmful scripts that could steal admin credentials or sensitive information.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the admin user.

Reproduction

To reproduce this vulnerability, inject a FORM element containing an INPUT element of type 'image' into the chat log. The INPUT element should include a 'formaction' attribute that directs to a JavaScript payload, such as an alert or a request to an external server with sensitive information. Once the injection is made, an admin viewing the chat log will trigger the injected script by interacting with the image.

Remediation

Users can update to Flowise version 3.0.5 or later, where this vulnerability has been patched.