GHSA-5g6j-8hv4-vfgj

Опубликовано: 11 сент. 2020

Источник: github

Github: Прошло ревью

Описание

Cross-Site Scripting in node-red

Versions of node-red prior to 0.18.6 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize the name field in new items, allowing attackers to execute arbitrary JavaScript in the victim's browser.

Recommendation

Upgrade to version 0.18.6 or later.

Ссылки

https://hackerone.com/reports/349146
https://www.npmjs.com/advisories/993

Пакеты

Наименование

node-red

npm

Затронутые версииВерсия исправления

< 0.18.6

0.18.6

Дефекты

CWE-79

Дефекты

CWE-79