Tenable Advisory: Flowise Stored XSS Vulnerability (CVE-2024-9148)

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Vulnerability Name: Flowise Stored Cross-Site Scripting 2. Severity Level: Critical 3. CVE ID: CVE-2024-9148 4. Tenable Advisory ID: TRA-2024-40 5. Affected Products: - Flowise < 2.1.1 - Flowise Chat Embed < 2.0.0 6. Risk Factor: Critical 7. Vulnerability Description: - Flowise uses the Flowise Chat Embed JavaScript library to display Flowise chatbots on websites. - Flowise Chat Embed versions prior to 2.0.0 lack input sanitization, allowing remote and unauthorized users to inject malicious JavaScript and perform stored cross-site scripting (XSS) attacks. - Core functionality of Flowise includes creating chat workflows, which can be translated into chatbots embeddable on websites. 8. Solution: - Upgrade to Flowise 2.1.1 or later. - If only using the Flowise Chat Embed library, upgrade to version 2.0.0 or later. 9. Disclosure Timeline: - June 13, 2024: Vulnerability discovered. - June 20, 2024: Tenable attempted to contact the vendor. - June 24, 2024: Tenable attempted to notify the project team via GitHub’s private security feature. - July 15, 2024: Project team responded to the GitHub issue. - August 13, 2024: Tenable requested an update on the GitHub issue status. - September 15, 2024: Project team responded to the GitHub issue, providing details on the upcoming fix. - September 20, 2024: Tenable observed that the fix had been released in version 2.0.0 of FlowiseChatEmbed. This information provides a detailed description of the vulnerability, affected products, risk factors, remediation steps, and disclosure timeline.

Goal Reached Thanks to every supporter — we hit 100%!

Tenable Advisory: Flowise Stored XSS Vulnerability (CVE-2024-9148)