CVE-2024-36422: 
JavaScript vulnerability analysis and mitigation

CVE-2024-36422 is a Cross-Site Scripting (XSS) vulnerability in Flowise v1.4.3. If the default configuration is used (unauthenticated), an attacker may be able to craft a specially crafted URL that injects Javascript into the user sessions (GitHub Security Lab).

The vulnerability exists in many of the API endpoints in index.ts. When a chatflow ID is not found, its value is reflected in the 404 page, which has type text/html. This allows an attacker to attach arbitrary scripts to the page. The vulnerability is found in multiple endpoints including api/v1/chatflows/id, /api/v1/public-chatflows/id, /api/v1/chatflows-streaming/id, and /api/v1/credentials/id (GitHub Security Lab).

This vulnerability may lead to information disclosure, allowing attackers to steal sensitive information. When chained with path injection vulnerabilities, it could allow attackers without direct access to Flowise to read arbitrary files from the Flowise server (GitHub Security Lab).

It is recommended to remove all cases where data provided from the req parameter is passed to the res without sanitization. For example, avoid using unsanitized data in responses like res.status(404).send(Chatflow ${req.params.id} not found) (GitHub Security Lab).