Edoardo Ottavianelli

Security Researcher and Open Source Developer. Passionate about Computing, Nature and cooking.

Contact me


Author: Edoardo Ottavianelli

In this post I will go through CVE-2023-30094: the description, replication of the vulnerability and POC.

Flow , a product of TotalJS, is "It's a friendly, modern, straightforward Visual Programming Interface for Low-code Development accessible through a web browser. The tool integrates, processes, and transforms various events and data in real time."


Description of the vulnerability

The version 10 of Flow contains a vulnerable XSS page. The software does not sanitize the name input field of the page.

Replication of the vulnerability

  • Login in the application.
  • Click on settings.
  • Set " <script>alert(document.domain)</script> as platform name and save.
  • Logout and XSS will fire.
TotalJS flow cve poc


See the Youtube Video POC at the top of the page.