{"data":{"id":"9e7111e0-12e2-45e3-acbb-476f6363b1d4","title":"CVE-2024-37146: Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a ","summary":"Flowise version 1.4.3 has a reflected cross-site scripting vulnerability (XSS, a type of attack where malicious code is injected into a webpage) in its `/api/v1/credentials/id` endpoint that allows attackers to inject harmful JavaScript into user sessions, potentially stealing information or redirecting users to malicious websites. The vulnerability is especially dangerous because it can be exploited without authentication in the default configuration and can be combined with other attacks to read files from the Flowise server.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2024-37146","publishedAt":"2024-07-01T19:15:04.070Z","cveId":"CVE-2024-37146","cweIds":["CWE-79","CWE-79"],"cvssScore":"6.1","cvssSeverity":"medium","severity":"medium","attackType":["prompt_injection"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["Flowise"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.0032,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-198","CAPEC-86"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":true,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}