> NOTE! Thanks for submitting a report! Please replace all the [square] sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report!
I would like to report Stored XSS in node-red.
It allows to steal session cookies, deface web applications, etc.
module name: node-redversion:0.20.7npm page: https://www.npmjs.com/package/node-red
A visual tool for wiring the Internet of Things.
> Replace stats below with numbers from npm’s module page:
Weekly downloads - 23,557
npm-red has flows to demonstrate the Inject, Debug and Function nodes, etc and you can define multiple flows.
For your customization, when renaming the flow - malicious javascript can be inserted into the “Name” field and Click “Done”. Then after clicking the “Deploy” button, changes will take effect. Then Everytime you double-click the flow, inserted malicious code will be executed.
install node-red: sudo npm install -g --unsafe-perm node-red
start node-red: node-red
&
Open http://localhost:1880
Deploy input sanitization/validation around the input fields.
> If you’re able to provide a patch with the fix please post it in this section
> State all technical information about the stack where the vulnerability was found
> Select Y or N for the following statements:
This vulnerability will allow the attacker to steal session cookies, deface web applications, etc.