Flowsint Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Flowsint versions prior to 1.2.3. Flowsint is an open-source OSINT graph exploration tool used for cybersecurity investigations. The vulnerability allows remote attackers to inject arbitrary HTML into the description of a node within an investigation. When the node is selected, the injected HTML is rendered, potentially executing malicious scripts. This issue arises because the application uses 'dangerouslySetInnerHTML' to display node descriptions, creating an opportunity for cross-site scripting attacks.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the node.

Reproduction

To reproduce this vulnerability, create a node within a sketch in Flowsint prior to version 1.2.3. Include a description that contains arbitrary HTML. Once the node is saved and selected, the HTML will be rendered, executing any embedded scripts. This can be automated with a Python script that registers a user, creates an investigation and a sketch, and then adds a node with a XSS payload in the description.

Remediation

Users are advised to update Flowsint to version 1.2.3 or later.