漏洞标题
GHSL-2023-245: API/v1/chatflows/id中的Flowise XSS漏洞
漏洞描述信息
Flowise是一款用于构建自定义大型语言模型流的拖放式用户界面。在Flowise的1.4.3版本中,`api/v1/chatflows/id`端点出现了一个反射式跨站脚本(Cross-Site Scripting, XSS)漏洞。如果使用默认配置(未认证),攻击者可能能够构造一个特别构造的URL,将JavaScript注入到用户会话中,允许攻击者窃取信息、创建虚假弹窗,甚至在无需交互的情况下将用户重定向到其他网站。如果未找到聊天流ID,其值会在404页面中反射出来,该页面的类型为text/html。这使得攻击者能够向页面附加任意脚本,允许攻击者窃取敏感信息。该XSS漏洞可能与路径注入相结合,允许没有直接访问Flowise权限的攻击者从Flowise服务器读取任意文件。截至发布时,尚未发现已知的补丁。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
漏洞类别
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
漏洞标题
GHSL-2023-245: Flowise xss in api/v1/chatflows/id
漏洞描述信息
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the `api/v1/chatflows/id` endpoint. If the default configuration is used (unauthenticated), an attacker may be able to craft a specially crafted URL that injects Javascript into the user sessions, allowing the attacker to steal information, create false popups, or even redirect the user to other websites without interaction. If the chatflow ID is not found, its value is reflected in the 404 page, which has type text/html. This allows an attacker to attach arbitrary scripts to the page, allowing an attacker to steal sensitive information. This XSS may be chained with the path injection to allow an attacker without direct access to Flowise to read arbitrary files from the Flowise server. As of time of publication, no known patches are available.
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
漏洞类别
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
漏洞标题
Flowise 安全漏洞
漏洞描述信息
Flowise是一个用于轻松构建 LLM 应用程序的工具。 Flowise 1.4.3版本存在安全漏洞,该漏洞源于存在反射型跨站脚本漏洞,攻击者可从服务器读取任意文件。
CVSS信息
N/A
漏洞类别
其他