A XSS(cross-site scripting) vulnerability is caused by insufficient filtering of input by web applications. Attackers can leverage this XSS vulnerability to inject malicious script code (HTML code or client-side Javascript code) into web pages, and when users browse these web pages, the malicious code will be executed, and the victims may be vulnerable to various attacks such as cookie data theft, etc.
const fetch = require('node-fetch');
const url = 'https://external.website';
const options = {
method: 'GET',
headers: {
'Content-Type': 'application/json'
}
};
try {
const response = await fetch(url, options);
const text = await response.text();
return text;
} catch (error) {
console.error(error);
return '';
}
it is critical XSS vulnerability. All users of Flowise platform that use the workflows of agents.
Summary
A XSS(cross-site scripting) vulnerability is caused by insufficient filtering of input by web applications. Attackers can leverage this XSS vulnerability to inject malicious script code (HTML code or client-side Javascript code) into web pages, and when users browse these web pages, the malicious code will be executed, and the victims may be vulnerable to various attacks such as cookie data theft, etc.
Details
<iframe src="javascript:alert(document.cookie);">from User in a chat box:Trigger in other ways:
Create a Agentflow in cloud platform (https://cloud.flowiseai.com/agentflows)
Create a Custom function as an example, use the below example code.
PoC
<iframe src="javascript:alert(document.cookie);">Impact
it is critical XSS vulnerability. All users of Flowise platform that use the workflows of agents.