CVE-2024-9148: 
JavaScript vulnerability analysis and mitigation

Flowise versions prior to 2.1.1 and Flowise Chat Embed versions prior to 2.0.0 are affected by a Stored Cross-Site Scripting vulnerability. The vulnerability stems from inadequate input sanitization in the Flowise Chat Embed component. This security issue was discovered in June 2024 and publicly disclosed on September 24, 2024 (Tenable Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 9.6 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. The issue arises from insufficient sanitization of user inputs in the chat functionality, allowing malicious JavaScript injection. While certain HTML attributes like on* events are filtered, attackers can still successfully execute XSS payloads without event handlers (Tenable Advisory).

As the chatbot is designed to be embedded on websites, successful exploitation allows attackers to execute malicious JavaScript code in the context of the Flowise administration panel. This can lead to the theft of sensitive information, session hijacking, and potential compromise of the administrative interface when users interact with the infected chatbot (Tenable Advisory).

Users are advised to upgrade to Flowise version 2.1.1 or later. For those using only the Flowise Chat Embed library, upgrading to version 2.0.0 or later is recommended (Tenable Advisory).