{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-9148","assignerOrgId":"5ac1ecc2-367a-4d16-a0b2-35d495ddd0be","state":"PUBLISHED","assignerShortName":"tenable","dateReserved":"2024-09-24T12:56:09.831Z","datePublished":"2024-09-24T13:13:13.565Z","dateUpdated":"2024-09-24T13:47:35.323Z"},"containers":{"cna":{"affected":[{"collectionURL":"https://www.npmjs.com/package/flowise-embed","defaultStatus":"unaffected","packageName":"flowise-embed","product":"FlowiseChatEmbed","repo":"https://github.com/FlowiseAI/FlowiseChatEmbed","vendor":"FlowiseAI","versions":[{"lessThan":"2.0.0","status":"affected","version":"0","versionType":"npm"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Flowise &lt; 2.1.1 suffers from a Stored Cross-Site vulnerability due to a lack of input sanitization in Flowise Chat Embed &lt; 2.0.0."}],"value":"Flowise < 2.1.1 suffers from a Stored Cross-Site vulnerability due to a lack of input sanitization in Flowise Chat Embed < 2.0.0."}],"impacts":[{"capecId":"CAPEC-592","descriptions":[{"lang":"en","value":"CAPEC-592 Stored XSS"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.6,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-79","description":"CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"5ac1ecc2-367a-4d16-a0b2-35d495ddd0be","shortName":"tenable","dateUpdated":"2024-09-24T13:13:13.565Z"},"references":[{"url":"https://www.tenable.com/security/research/tra-2024-40"}],"source":{"discovery":"UNKNOWN"},"title":"Flowise Stored Cross-Site Scripting","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"affected":[{"vendor":"flowiseai","product":"flowise","cpes":["cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*"],"defaultStatus":"unaffected","versions":[{"version":"0","status":"affected","lessThan":"2.0.0","versionType":"custom"}]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-09-24T13:45:56.657543Z","id":"CVE-2024-9148","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-09-24T13:47:35.323Z"}}]}}