Lucene search

GitHub Advisory DatabaseGHSA-8W65-XJC5-9W79

HistoryJan 30, 2020 - 9:00 p.m.

Cross-Site Scripting in node-red

2020-01-3021:00:21

CWE-79

GitHub Advisory Database

github.com

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

24.8%

JSON

Versions of node-red prior to 0.20.8are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize the name field in new Flows, allowing attackers to execute arbitrary JavaScript in the victim’s browser.

Recommendation

Upgrade to version 0.18.6 or later.

Affected configurations

Vulners

Node

node-redRange≤0.20.7

VendorProductVersionCPE
*node-red*cpe:2.3:a:*:node-red:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
*	node-red	*	cpe:2.3:a::node-red::::::::*

References

github.com/advisories/GHSA-8w65-xjc5-9w79

hackerone.com/reports/681986

nvd.nist.gov/vuln/detail/CVE-2019-15607

www.npmjs.com/advisories/1456

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

24.8%

JSON

Related for GHSA-8W65-XJC5-9W79