Cross-Site Scripting Vulnerability in Flowise Before 3.0.8

Executive Summary

A cross-site scripting (XSS) vulnerability exists in Flowise before version 3.0.8. This vulnerability is caused by insufficient input filtering in chat messages and custom agent functions, allowing an attacker to inject malicious JavaScript. The severity of this vulnerability is rated as 6.1 (Medium) according to the CVSS v3.1 score.

Technical Analysis

The vulnerability class of this issue is cross-site scripting (XSS). The attack vector involves an attacker injecting malicious JavaScript by sending an iframe payload in a chat box or by having a custom agent function return an XSS payload from an external website. The root cause of this vulnerability is the lack of proper input validation and sanitization in Flowise's chat message and custom agent function handling.

How It Gets Exploited

An attacker can exploit this vulnerability by sending a crafted iframe payload, such as `