Flowsint Arbitrary HTML Injection Vulnerability Leading to Stored Cross-Site Scripting

A stored cross-site scripting vulnerability has been identified in Flowsint, an open-source OSINT graph exploration tool, prior to version 1.2.3. The issue allows remote attackers to inject arbitrary HTML into map nodes. When the map tab is accessed and a node marker is clicked, the injected HTML is rendered, potentially executing malicious scripts. This vulnerability arises because the application uses innerHTML to display node labels, enabling HTML injection.

Impact

Exploitation of this vulnerability could lead to stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, create a map node in Flowsint prior to version 1.2.3 with a label that includes arbitrary HTML. Once the node is created, switch to the map tab and click on the node marker. The application will render the HTML, executing any embedded scripts.

Remediation

Users are advised to update Flowsint to version 1.2.3 or later, where this vulnerability has been fixed.