Описание
Cross-Site Scripting in node-red
Versions of node-red prior to 0.20.8are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize the name field in new Flows, allowing attackers to execute arbitrary JavaScript in the victim's browser.
Recommendation
Upgrade to version 0.18.6 or later.
Пакеты
Наименование
node-red
npm
Затронутые версииВерсия исправления
<= 0.20.7
0.20.8
Связанные уязвимости
CVSS3: 5.4
nvd
около 6 лет назад
A stored XSS vulnerability is present within node-red (version: <= 0.20.7) npm package, which is a visual tool for wiring the Internet of Things. This issue will allow the attacker to steal session cookies, deface web applications, etc.