253 matches found
Prototype Pollution
node-red is vulnerable to prototype pollution. It does not make sure to prevent unauthorized user to access the editor url, allowing an attacker to send a badly formed request to modify the Node-RED runtime behaviour...
Directory Traversal
@node-red/runtime is vulnerable to directory traversal. The vulnerability exists as users with the projects.read permission can access any file via the Projects API...
CVE-2021-21297
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default...
CVE-2021-21298
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with projects.read permission is able to access any file via t...
CVE-2021-21297
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default...
CVE-2021-21298
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with projects.read permission is able to access any file via t...
Path traversal
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with projects.read permission is able to access any file via t...
Design/Logic Flaw
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default...
Path traversal in Node-Red
Impact This vulnerability allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with projects.read permission is able to access any file via the Projects API. Patches The issue has been patched in Node-RED 1.2.8 Workarounds The vulnerability applies only...
GHSA-M33V-338H-4V9F Path traversal in Node-Red
Impact This vulnerability allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with projects.read permission is able to access any file via the Projects API. Patches The issue has been patched in Node-RED 1.2.8 Workarounds The vulnerability applies only...
@albcastillobeone/node-red-contrib-event-classifier (=1.0.0), @dolittle/node-red (>=2.0.0 <=2.2.8) +28 more potentially affected by CVE-2021-21298 via @node-red/runtime (>=0.20.0-beta.2 <=1.2.7)
@node-red/runtime NPM version =0.20.0-beta.2, =2.0.0, =2.0.0, =1.1.0, =6.1.0, =1.2.0, =0.1.1, =1.0.44, =2.7.2, =1.8.0, =0.20.0, =0.0.1, =1.0.0, =1.0.20 and more Source cves: CVE-2021-21298 Source advisory: OSV:GHSA-M33V-338H-4V9F...
Prototype Pollution in Node-Red
Impact Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. Patches The vulnerability is patched in the...
@albcastillobeone/node-red-contrib-event-classifier (=1.0.0), @dolittle/node-red (>=2.0.0 <=2.2.8) +28 more potentially affected by CVE-2021-21297 via @node-red/runtime (>=0.20.0-beta.2 <=1.2.7)
@node-red/runtime NPM version =0.20.0-beta.2, =2.0.0, =2.0.0, =1.1.0, =6.1.0, =1.2.0, =0.1.1, =1.0.44, =2.7.2, =1.8.0, =0.20.0, =0.0.1, =1.0.0, =1.0.20 and more Source cves: CVE-2021-21297 Source advisory: OSV:GHSA-XP9C-82X8-7F67...
GHSA-XP9C-82X8-7F67 Prototype Pollution in Node-Red
Impact Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. Patches The vulnerability is patched in the...
Prototype Pollution
Overview Impact Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. Workarounds A workaround is to...
CVE-2021-21298
CVE-2021-21298 affects Node-RED up to v1.2.7 with a path traversal vulnerability via the Projects API. When the Projects feature is enabled, a user with projects.read can access arbitrary files through the Projects API. The issue has been fixed in Node-RED v1.2.8. The vulnerability applies only t...
CVE-2021-21298 Path traversal in Node-Red
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with projects.read permission is able to access any file via t...
CVE-2021-21297 Prototype Pollution in Node-Red
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default...
CVE-2021-21297
Node-RED CVE-2021-21297 affects Node-RED 1.2.7 and earlier, with a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object, potentially altering Node-RED runtime behavior. The issue is fixed in version 1.2.8; a practical...
PT-2021-7971 · Node.Js · Node-Red
Name of the Vulnerable Software and Affected Versions: Node-RED versions 1.2.7 and earlier Description: The issue concerns a Prototype Pollution vulnerability in the admin API of Node-RED, a low-code programming tool for event-driven applications built using nodejs. A badly formed request can...