CVE-2021-21297

Node-RED CVE-2021-21297 affects Node-RED 1.2.7 and earlier, with a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object, potentially altering Node-RED runtime behavior. The issue is fixed in version 1.2.8; a practical...

CVE-2021-21297 Prototype Pollution in Node-Red

Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default...

Node-Red Security Vulnerabilities

Node-Red is an open source stream-based visual programming development tool for connecting hardware devices, APIs and online services together as part of the Internet of Things. Node-Red has a security vulnerability that stems from the admin API containing a Prototype Pollution vulnerability. An...

Node-RED Path Traversal Vulnerability

Node-Red is an open source stream-based visual programming development tool for connecting hardware devices, APIs and online services together as part of the Internet of Things. A path traversal vulnerability exists in Node-RED 1.2.7 and earlier, which allows arbitrary path traversal via the...

PT-2021-7971 · Node.Js · Node-Red

Name of the Vulnerable Software and Affected Versions: Node-RED versions 1.2.7 and earlier Description: The issue concerns a Prototype Pollution vulnerability in the admin API of Node-RED, a low-code programming tool for event-driven applications built using nodejs. A badly formed request can...

Path Traversal

Overview In Node-RED-Dashboard before 2.26.2 there is a path traversal vulnerability. In /nodes/uibase.js, the URL is matched with '/uibase/js/' and then passed to path.join. The lack of verification of the final path leads to a path traversal vulnerability. Recommendation Upgrade to fix version...

@ia-cloud/node-red-contrib-ia-cloud-dashboard (>=0.0.1 <=0.1.4), @ia-cloud/node-red-dashboard-2-ia-cloud (>=1.0.0 <=1.0.1) +1 more potentially affected by CVE-2021-3223 via node-red-dashboard (>=2.13.2 <=2.17.0)

node-red-dashboard NPM version =2.13.2, =0.0.1, =1.0.0, =0.1.0, =0.3.0 Source cves: CVE-2021-3223 Source advisory: OSV:GHSA-2HW7-MXVJ-M455...

Path traversal in Node-RED-Dashboard

In Node-RED-Dashboard before 2.26.2 there is a path traversal vulnerability. It allows uibase/js/..%2f directory traversal to read files...

GHSA-2HW7-MXVJ-M455 Path traversal in Node-RED-Dashboard

In Node-RED-Dashboard before 2.26.2 there is a path traversal vulnerability. It allows uibase/js/..%2f directory traversal to read files...

Directory Traversal

node-red-dashboard is vulnerable to directory traversal. Lack of validation in the URL allows an attacker to access system files outside of the webroot via a malicious URL such as /uibase/js/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd...

Directory Traversal

node-red-contrib-huemagic is vulnerable to directory traversal. The vulnerability exists as the res.sendFile parameter in the API in hue-magic.js is not sanitized, allowing an attacker to fetch arbitrary files on the server by appending ../ to the URL of the target host...

CVE-2021-3223

Node-RED-Dashboard before 2.26.2 allows uibase/js/..%2f directory traversal to read files...

CVE-2021-3223

Node-RED-Dashboard before 2.26.2 allows uibase/js/..%2f directory traversal to read files...

CVE-2021-25864

node-red-contrib-huemagic 3.0.0 is affected by hue/assets/..%2F Directory Traversal.in the res.sendFile API, used in file hue-magic.js, to fetch an arbitrary file...

Arbitrary file deletion

node-red-contrib-huemagic 3.0.0 is affected by hue/assets/..%2F Directory Traversal.in the res.sendFile API, used in file hue-magic.js, to fetch an arbitrary file...

Directory traversal

Node-RED-Dashboard before 2.26.2 allows uibase/js/..%2f directory traversal to read files...

CVE-2021-25864

Hue Magic 3.0.0 is vulnerable to local file inclusion via the res.sendFile API in hue-magic.js, allowing an attacker to fetch arbitrary files on the server. This CVE (CVE-2021-25864) is documented in multiple sources (including a Nuclei template and advisories) as an LFI with potential to expose ...

CVE-2021-25864

node-red-contrib-huemagic 3.0.0 is affected by hue/assets/..%2F Directory Traversal.in the res.sendFile API, used in file hue-magic.js, to fetch an arbitrary file...

CVE-2021-3223

CVE-2021-3223 affects Node-RED-Dashboard prior to 2.26.2. A local file inclusion vulnerability arises from directory traversal in ui_base/js/..%2f, allowing an attacker to read files on the server. This is described across multiple sources (NVD entry references LFI with CVSS v3.1 base score 7.5; ...

CVE-2021-3223

Node-RED-Dashboard before 2.26.2 allows uibase/js/..%2f directory traversal to read files...