flowise 3.0.8 vulnerabilities

Known vulnerabilities in the flowise package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) flowise is a Flowiseai Server Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via insufficient input filtering of input by web applications such as `chat box` and agent workflow processes. An attacker can execute arbitrary JavaScript code in the victim's browser by injecting malicious scripts, potentially leading to theft of sensitive information such as cookies when a user interacts with crafted content. How to fix Cross-site Scripting (XSS)? There is no fixed version for `flowise`.	*
H Cross-site Scripting (XSS) flowise is a Flowiseai Server Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the chat logs, due to improper input sanitization. An attacker can access sensitive information or impersonate an administrator by injecting malicious HTML or scripts into chat prompts, which are then rendered when an admin views the logs. How to fix Cross-site Scripting (XSS)? There is no fixed version for `flowise`.	*
H Uncontrolled Resource Consumption ('Resource Exhaustion') flowise is a Flowiseai Server Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') through the `/api/v1/get-upload-file` API endpoint. An attacker can cause the application to crash by sending specially crafted input. How to fix Uncontrolled Resource Consumption ('Resource Exhaustion')? There is no fixed version for `flowise`.	*
M Cross-site Scripting (XSS) flowise is a Flowiseai Server Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `/api/v1/public-chatflows/id` endpoint, which returns a 404 page in the absence of a chatflow ID. An attacker can inject malicious scripts into the `text/html` page to read unintended files on the filesystem. How to fix Cross-site Scripting (XSS)? There is no fixed version for `flowise`.	*
M Cross-site Scripting (XSS) flowise is a Flowiseai Server Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the `/api/v1/chatflows-streaming/id`, which returns a 404 page in the absence of a streaming ID. An attacker can inject malicious scripts into the `text/html` page to read unintended files on the filesystem. How to fix Cross-site Scripting (XSS)? There is no fixed version for `flowise`.	*
M Cross-site Scripting (XSS) flowise is a Flowiseai Server Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `/api/v1/credentials/id` endpoint, which returns a 404 page in the absence of a credential ID. An attacker can inject malicious scripts into the `text/html` page to read unintended files on the filesystem. How to fix Cross-site Scripting (XSS)? There is no fixed version for `flowise`.	*
M Cross-site Scripting (XSS) flowise is a Flowiseai Server Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `api/v1/chatflows/id` endpoint, which returns a 404 page in the absence of a chatflow ID. An attacker can inject malicious scripts into the `text/html` page to read unintended files on the filesystem. How to fix Cross-site Scripting (XSS)? There is no fixed version for `flowise`.	*
H Path Traversal flowise is a Flowiseai Server Affected versions of this package are vulnerable to Path Traversal due to improper sanitization of the `filename` parameter used by the `/api/v1/openai-assistants-file` endpoint. An attacker can pass in a path traversal string to read arbitrary files on the vulnerable file system. How to fix Path Traversal? There is no fixed version for `flowise`.	*

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

flowise is a Flowiseai Server

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via insufficient input filtering of input by web applications such as chat box and agent workflow processes. An attacker can execute arbitrary JavaScript code in the victim's browser by injecting malicious scripts, potentially leading to theft of sensitive information such as cookies when a user interacts with crafted content.

How to fix Cross-site Scripting (XSS)?