CVE-2019-10756

It is possible to inject JavaScript within node-red-dashboard versions prior to version 2.17.0 due to the uinotification node accepting raw HTML by default...

CVE-2019-10756

It is possible to inject JavaScript within node-red-dashboard versions prior to version 2.17.0 due to the uinotification node accepting raw HTML by default...

Design/Logic Flaw

It is possible to inject JavaScript within node-red-dashboard versions prior to version 2.17.0 due to the uinotification node accepting raw HTML by default...

CVE-2019-10756

CVE-2019-10756 affects node-red-dashboard prior to version 2.17.0 where the ui_notification node accepts raw HTML by default, enabling JavaScript injection and thus cross-site scripting (XSS). The vulnerability stems from the ability to inject script through the notification UI component, as conf...

CVE-2019-10756

It is possible to inject JavaScript within node-red-dashboard versions prior to version 2.17.0 due to the uinotification node accepting raw HTML by default...

Node.js third-party modules: [node-red] Stored XSS within Flow's - "Name" field

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report Stored XSS in...

@ia-cloud/node-red-contrib-ia-cloud-dashboard (>=0.0.1 <=0.0.4), node-red-contrib-ui-led (>=0.1.0 <=0.3.0) potentially affected by CVE-2019-10756 via node-red-dashboard (>=2.13.2 <=2.15.0)

node-red-dashboard NPM version =2.13.2, =0.0.1, =0.1.0, =0.3.0 Source cves: CVE-2019-10756 Source advisory: SNYK:JS-NODEREDDASHBOARD-471939...

Cross-site Scripting (XSS)

Overview node-red-dashboard is a provides a set of nodes in Node-RED to quickly create a live data dashboard. Affected versions of this package are vulnerable to Cross-site Scripting XSS. Details Remediation Upgrade node-red-dashboard to version 2.17.0 or higher. References - GitHub Commit Credit...

Cross-Site Scripting

Overview Versions of node-red prior to 0.18.6 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize the name field in new items, allowing attackers to execute arbitrary JavaScript in the victim's browser. Recommendation Upgrade to version 0.18.6 or later. References - HackerOn...

4everland-pinning (>=1.0.4 <=1.0.10), @0x5e/homebridge-tuya-platform (>=1.6.0 <=1.7.0-beta.58) +3260 more potentially affected by CVE-2019-5432 via mqtt-packet (>=6.0.0 <=6.10.0)

mqtt-packet NPM version =6.0.0, =1.0.4, =1.6.0, =1.0.1, =0.2.0, =0.4.19, =0.12.0, =0.1.5, =0.1.8, =0.1.3, =0.12.0, =0.1.0, =0.8.3, =0.12.0, =0.12.0, =0.12.0, =0.14.4 and more Source cves: CVE-2019-5432 Source advisory: OSV:GHSA-WV67-9JQ7-8R69...

Node-RED Unauthorized Remote Command Execution Vulnerability

Node-RED is a tool for building Internet of Things IOT applications that focuses on simplifying the "connectivity" of code blocks to perform tasks. Node-RED is vulnerable to unauthorized remote command execution. Since the Node-RED application does not enforce any type of authentication,...

Cross-Site Scripting (XSS)

node-red is affected by a cross-site scripting XSS vulnerability. The use of .html does not sanitise user input and allows for injection of arbitrary JavaScript through the name parameter...

Node.js third-party modules: Stored XSS in Node-Red

I would like to report a stored XSS in node-red It allows to execute javascript in the user's browser Module module name: node-red version: v0.18.4 npm page: https://www.npmjs.com/package/node-red Module Description A visual tool for wiring the Internet of Things. Module Stats 1,758 downloads in...