It is possible to inject JavaScript within node-red-dashboard versions prior to version 2.17.0 due to the ui_notification node accepting raw HTML by default.
[
{
"product": "node-red-dashboard",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 2.17.0"
}
]
}
]