Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneVineetpandeyH1:681986
HistoryAug 26, 2019 - 9:17 a.m.

Node.js third-party modules: [node-red] Stored XSS within Flow's - "Name" field

2019-08-2609:17:03
vineetpandey
hackerone.com
17

EPSS

0.001

Percentile

24.8%

JSON

> NOTE! Thanks for submitting a report! Please replace all the [square] sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report!

I would like to report Stored XSS in node-red.
It allows to steal session cookies, deface web applications, etc.

Module

module name: node-redversion:0.20.7npm page: https://www.npmjs.com/package/node-red

Module Description

A visual tool for wiring the Internet of Things.

Module Stats

> Replace stats below with numbers from npm’s module page:

Weekly downloads - 23,557

Vulnerability

Vulnerability Description

npm-red has flows to demonstrate the Inject, Debug and Function nodes, etc and you can define multiple flows.
For your customization, when renaming the flow - malicious javascript can be inserted into the “Name” field and Click “Done”. Then after clicking the “Deploy” button, changes will take effect. Then Everytime you double-click the flow, inserted malicious code will be executed.

Steps To Reproduce:

install node-red: sudo npm install -g --unsafe-perm node-red
start node-red: node-red
&
Open http://localhost:1880

  1. Now Edit the flow (refer img_1.png)
  2. Insert malicious javascript code and click “Done” (refer img_2.png)
  3. Click Deploy and changes will take place.
  4. Double click on flow and you’ll observe a pop-up executing the malicious content (refer img_3.png)

Patch

Deploy input sanitization/validation around the input fields.

> If you’re able to provide a patch with the fix please post it in this section

Supporting Material/References:

> State all technical information about the stack where the vulnerability was found

  • Kali linux
  • Node.js v12.8.0
  • NPM v6.10.2
  • Firefox 60.8.0esr
  • Burpsuite, if there would have been client side validation

Wrap up

> Select Y or N for the following statements:

  • I contacted the maintainer to let them know: N
  • I opened an issue in the related repository: N

Impact

This vulnerability will allow the attacker to steal session cookies, deface web applications, etc.

Related

nvd 1
prion 1
github 1
cvelist 1
osv 2
cve 1
veracode 1
nvd
nvd
CVE-2019-15607
2020-01-28 03:15:10
prion
prion
Cross site scripting
2020-01-28 03:15:00
github
github
Cross-Site Scripting in node-red
2020-01-30 21:00:21
cvelist
cvelist
CVE-2019-15607
2020-01-28 02:13:16
osv
osv
CVE-2019-15607
2020-01-28 03:15:10
Cross-Site Scripting in node-red
2020-01-30 21:00:21
cve
cve
CVE-2019-15607
2020-01-28 03:15:10
veracode
veracode
Cross-Site Scripting (XSS)
2020-01-13 04:55:57

EPSS

0.001

Percentile

24.8%

JSON
Related for H1:681986
nvd1prion1github1cvelist1osv2cve1veracode1