Flowise Stored Cross-Site Scripting
Flowise uses the Flowise Chat Embed JavaScript library to display Flowise chatbot on a website. Flowise Chat Embed versions prior 2.0.0 suffer from a lack of sanitization of user inputs, allowing a remote and unauthenticated user to inject malicious JavaScript and perform Stored Cross-Site scripting attacks against the vulnerable instance.
Proof-of-Concept
Flowise’s core features include the creation of chatflow, which could be translated as the creation of a chatbot that can then be embedded in a website.
When creating a flow, by starting a conversation with the bot we observed that certain HTML attributes are filtered, such as on* events.
It is however possible to use an XSS payload without an event handler, such as :
<iframe src=javascript:console.log(document.domain)>
As the chatbot is designed to be embedded on a website, the payload will then flow to the Flowise administration panel and being executed, allowing a random user starting a conversation with the chatbot to achieve the attack :
Tue, 09/24/2024 – 03:09
Leave a Reply