In this post I will go through CVE-2023-30094: the description, replication of the
vulnerability and POC.
Flow , a product
of TotalJS, is "It's a friendly, modern, straightforward Visual Programming Interface
for Low-code Development accessible through a web browser. The tool integrates,
processes, and transforms various events and data in real time."
Description of the vulnerability
The version 10 of Flow contains a vulnerable XSS page. The software does not sanitize the
name input field of the page.
Replication of the vulnerability
Login in the application.
Click on settings.
Set " <script>alert(document.domain)</script>
as platform name and save.