Severity: moderate

Cross-Site Scripting

node-red

Overview

Versions of node-red prior to 0.20.8are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize the name field in new Flows, allowing attackers to execute arbitrary JavaScript in the victim's browser.

Remediation

Upgrade to version 0.18.6 or later.

Resources

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory Published
    Jan 30th, 2020
  2. reported

    Reported by Vineet Kumar Pandey
    Jan 17th, 2020