CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8181 – Flowise Authentication Bypass
https://notcve.org/view.php?id=CVE-2024-8181
An Authentication Bypass vulnerability exists in Flowise version 1.8.2. This could allow a remote, unauthenticated attacker to access API endpoints as an administrator and allow them to access restricted functionality. • https://tenable.com/security/research/tra-2024-33 • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8182 – Flowise Denial of Service
https://notcve.org/view.php?id=CVE-2024-8182
An Unauthenticated Denial of Service (DoS) vulnerability exists in Flowise version 1.8.2 leading to a complete crash of the instance running a vulnerable version due to improper handling of user supplied input to the “/api/v1/get-upload-file” api endpoint. • https://tenable.com/security/research/tra-2024-34 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37146 – GHSL-2023-248: Flowise xss in /api/v1/credentials/id
https://notcve.org/view.php?id=CVE-2024-37146
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the `/api/v1/credentials/id` endpoint. If the default configuration is used (unauthenticated), an attacker may be able to craft a specially crafted URL that injects Javascript into the user sessions, allowing the attacker to steal information, create false popups, or even redirect the user to other websites without interaction. If the chatflow ID is not found, its value is reflected in the 404 page, which has type text/html. This allows an attacker to attach arbitrary scripts to the page, allowing an attacker to steal sensitive information. • https://github.com/FlowiseAI/Flowise/blob/flowise-ui%401.4.0/packages/server/src/index.ts#L545-L545 https://securitylab.github.com/advisories/GHSL-2023-232_GHSL-2023-234_Flowise • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37145 – GHSL-2023-247: Flowise xss in /api/v1/chatflows-streaming/id
https://notcve.org/view.php?id=CVE-2024-37145
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the `/api/v1/chatflows-streaming/id` endpoint. If the default configuration is used (unauthenticated), an attacker may be able to craft a specially crafted URL that injects Javascript into the user sessions, allowing the attacker to steal information, create false popups, or even redirect the user to other websites without interaction. If the chatflow ID is not found, its value is reflected in the 404 page, which has type text/html. This allows an attacker to attach arbitrary scripts to the page, allowing an attacker to steal sensitive information. • https://github.com/FlowiseAI/Flowise/blob/flowise-ui%401.4.0/packages/server/src/index.ts#L375-L375 https://securitylab.github.com/advisories/GHSL-2023-232_GHSL-2023-234_Flowise • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36423 – GHSL-2023-246: Flowise xss in /api/v1/public-chatflows/id
https://notcve.org/view.php?id=CVE-2024-36423
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the `/api/v1/public-chatflows/id` endpoint. If the default configuration is used (unauthenticated), an attacker may be able to craft a specially crafted URL that injects Javascript into the user sessions, allowing the attacker to steal information, create false popups, or even redirect the user to other websites without interaction. If the chatflow ID is not found, its value is reflected in the 404 page, which has type text/html. This allows an attacker to attach arbitrary scripts to the page, allowing an attacker to steal sensitive information. • https://github.com/FlowiseAI/Flowise/blob/flowise-ui%401.4.0/packages/server/src/index.ts#L322-L322 https://securitylab.github.com/advisories/GHSL-2023-232_GHSL-2023-234_Flowise • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •