Search for packages
| purl | pkg:npm/node-red@0.18.6 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-gh2h-q3t6-ebeb
Aliases: CVE-2019-15607 GHSA-8w65-xjc5-9w79 |
Cross-site Scripting A stored XSS vulnerability is present within the node-red npm package, which is a visual tool for wiring the Internet of Things. This issue will allow the attacker to steal session cookies, deface web applications, etc. |
Affected by 2 other vulnerabilities. |
|
VCID-h7v4-5z1t-aqbk
Aliases: CVE-2021-21297 GHSA-xp9c-82x8-7f67 |
Improperly Controlled Modification of Dynamically-Determined Object Attributes Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. The vulnerability is patched in the release. A workaround is to ensure only authorized users are able to access the editor url. |
Affected by 0 other vulnerabilities. |
|
VCID-m5kp-t88v-fufu
Aliases: CVE-2021-21298 GHSA-m33v-338h-4v9f |
Path Traversal Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with `projects.read` permission is able to access any file via the Projects API. The vulnerability applies only to the Projects feature which is not enabled by default in Node-RED. The primary workaround is not give untrusted users read access to the Node-RED editor. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1y32-5wc9-4uhv | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in node-red. |
GHSA-5g6j-8hv4-vfgj
GMS-2020-752 |