Cross-Site Scripting in node-red
Moderate severity
GitHub Reviewed
Published
Jan 30, 2020
to the GitHub Advisory Database
•
Updated Sep 11, 2023
Description
Reviewed
Jan 29, 2020
Published to the GitHub Advisory Database
Jan 30, 2020
Last updated
Sep 11, 2023
Versions of
node-red
prior to 0.20.8are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize thename
field in new Flows, allowing attackers to execute arbitrary JavaScript in the victim's browser.Recommendation
Upgrade to version 0.18.6 or later.
References