Press ESC to close

Flowise Stored Cross-Site Scripting

Flowise Stored Cross-Site Scripting

Flowise uses the Flowise Chat Embed JavaScript library to display Flowise chatbot on a website. Flowise Chat Embed versions prior 2.0.0 suffer from a lack of sanitization of user inputs, allowing a remote and unauthenticated user to inject malicious JavaScript and perform Stored Cross-Site scripting attacks against the vulnerable instance.

Proof-of-Concept

Flowise’s core features include the creation of chatflow, which could be translated as the creation of a chatbot that can then be embedded in a website.

When creating a flow, by starting a conversation with the bot we observed that certain HTML attributes are filtered, such as on* events.

It is however possible to use an XSS payload without an event handler, such as : 

<iframe src=javascript:console.log(document.domain)>

As the chatbot is designed to be embedded on a website, the payload will then flow to the Flowise administration panel and being executed, allowing a random user starting a conversation with the chatbot to achieve the attack : 

Rémy Marot

Tue, 09/24/2024 – 03:09

Leave a Reply

Your email address will not be published. Required fields are marked *