Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    12 vulnerabilities by nodered

    CVE-2022-3783 (GCVE-0-2022-3783)

    Vulnerability from nvd – Published: 2022-10-31 00:00 – Updated: 2025-04-15 13:23
    VLAI
    Title
    node-red-dashboard ui_text Format ui-component-ctrl.js cross site scripting
    Summary
    A vulnerability, which was classified as problematic, has been found in node-red-dashboard. This issue affects some unknown processing of the file components/ui-component/ui-component-ctrl.js of the component ui_text Format Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The name of the patch is 9305d1a82f19b235dfad24a7d1dd4ed244db7743. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-212555.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-707 - Improper Neutralization -> CWE-74 Injection -> CWE-79 Cross Site Scripting
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T01:20:58.330Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/node-red/node-red-dashboard/issues/772"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/node-red/node-red-dashboard/commit/9305d1a82f19b235dfad24a7d1dd4ed244db7743"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://vuldb.com/?id.212555"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-3783",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-14T16:58:58.752975Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-15T13:23:12.687Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "node-red-dashboard",
              "vendor": "unspecified",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability, which was classified as problematic, has been found in node-red-dashboard. This issue affects some unknown processing of the file components/ui-component/ui-component-ctrl.js of the component ui_text Format Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The name of the patch is 9305d1a82f19b235dfad24a7d1dd4ed244db7743. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-212555."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-707",
                  "description": "CWE-707 Improper Neutralization -\u003e CWE-74 Injection -\u003e CWE-79 Cross Site Scripting",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-10-31T00:00:00.000Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "url": "https://github.com/node-red/node-red-dashboard/issues/772"
            },
            {
              "url": "https://github.com/node-red/node-red-dashboard/commit/9305d1a82f19b235dfad24a7d1dd4ed244db7743"
            },
            {
              "url": "https://vuldb.com/?id.212555"
            }
          ],
          "title": "node-red-dashboard ui_text Format ui-component-ctrl.js cross site scripting",
          "x_generator": "vuldb.com"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2022-3783",
        "datePublished": "2022-10-31T00:00:00.000Z",
        "dateReserved": "2022-10-31T00:00:00.000Z",
        "dateUpdated": "2025-04-15T13:23:12.687Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-21298 (GCVE-0-2021-21298)

    Vulnerability from nvd – Published: 2021-02-26 16:25 – Updated: 2024-08-03 18:09
    VLAI
    Title
    Path traversal in Node-Red
    Summary
    Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with `projects.read` permission is able to access any file via the Projects API. The issue has been patched in Node-RED 1.2.8. The vulnerability applies only to the Projects feature which is not enabled by default in Node-RED. The primary workaround is not give untrusted users read access to the Node-RED editor.
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    node-red node-red Affected: < 1.2.8
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T18:09:15.856Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.npmjs.com/package/%40node-red/runtime"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/node-red/node-red/releases/tag/1.2.8"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/node-red/node-red/security/advisories/GHSA-m33v-338h-4v9f"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/node-red/node-red/commit/74db3e17d075f23d9c95d7871586cf461524c456"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "node-red",
              "vendor": "node-red",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.2.8"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with `projects.read` permission is able to access any file via the Projects API. The issue has been patched in Node-RED 1.2.8. The vulnerability applies only to the Projects feature which is not enabled by default in Node-RED. The primary workaround is not give untrusted users read access to the Node-RED editor."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-02-26T16:25:14.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.npmjs.com/package/%40node-red/runtime"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/node-red/node-red/releases/tag/1.2.8"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/node-red/node-red/security/advisories/GHSA-m33v-338h-4v9f"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/node-red/node-red/commit/74db3e17d075f23d9c95d7871586cf461524c456"
            }
          ],
          "source": {
            "advisory": "GHSA-m33v-338h-4v9f",
            "discovery": "UNKNOWN"
          },
          "title": "Path traversal in Node-Red",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security-advisories@github.com",
              "ID": "CVE-2021-21298",
              "STATE": "PUBLIC",
              "TITLE": "Path traversal in Node-Red"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "node-red",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c 1.2.8"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "node-red"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with `projects.read` permission is able to access any file via the Projects API. The issue has been patched in Node-RED 1.2.8. The vulnerability applies only to the Projects feature which is not enabled by default in Node-RED. The primary workaround is not give untrusted users read access to the Node-RED editor."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.npmjs.com/package/@node-red/runtime",
                  "refsource": "MISC",
                  "url": "https://www.npmjs.com/package/@node-red/runtime"
                },
                {
                  "name": "https://github.com/node-red/node-red/releases/tag/1.2.8",
                  "refsource": "MISC",
                  "url": "https://github.com/node-red/node-red/releases/tag/1.2.8"
                },
                {
                  "name": "https://github.com/node-red/node-red/security/advisories/GHSA-m33v-338h-4v9f",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/node-red/node-red/security/advisories/GHSA-m33v-338h-4v9f"
                },
                {
                  "name": "https://github.com/node-red/node-red/commit/74db3e17d075f23d9c95d7871586cf461524c456",
                  "refsource": "MISC",
                  "url": "https://github.com/node-red/node-red/commit/74db3e17d075f23d9c95d7871586cf461524c456"
                }
              ]
            },
            "source": {
              "advisory": "GHSA-m33v-338h-4v9f",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2021-21298",
        "datePublished": "2021-02-26T16:25:14.000Z",
        "dateReserved": "2020-12-22T00:00:00.000Z",
        "dateUpdated": "2024-08-03T18:09:15.856Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-21297 (GCVE-0-2021-21297)

    Vulnerability from nvd – Published: 2021-02-26 16:20 – Updated: 2024-08-03 18:09
    VLAI
    Title
    Prototype Pollution in Node-Red
    Summary
    Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. The vulnerability is patched in the 1.2.8 release. A workaround is to ensure only authorized users are able to access the editor url.
    CWE
    • CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
    • CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
    Assigner
    Impacted products
    Vendor Product Version
    node-red node-red Affected: < 1.2.8
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T18:09:15.688Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/node-red/node-red/security/advisories/GHSA-xp9c-82x8-7f67"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.npmjs.com/package/%40node-red/runtime"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.npmjs.com/package/%40node-red/editor-api"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/node-red/node-red/releases/tag/1.2.8"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "node-red",
              "vendor": "node-red",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.2.8"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. The vulnerability is patched in the 1.2.8 release. A workaround is to ensure only authorized users are able to access the editor url."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1321",
                  "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-915",
                  "description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-02-26T16:20:17.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/node-red/node-red/security/advisories/GHSA-xp9c-82x8-7f67"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.npmjs.com/package/%40node-red/runtime"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.npmjs.com/package/%40node-red/editor-api"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/node-red/node-red/releases/tag/1.2.8"
            }
          ],
          "source": {
            "advisory": "GHSA-xp9c-82x8-7f67",
            "discovery": "UNKNOWN"
          },
          "title": "Prototype Pollution in Node-Red",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security-advisories@github.com",
              "ID": "CVE-2021-21297",
              "STATE": "PUBLIC",
              "TITLE": "Prototype Pollution in Node-Red"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "node-red",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c 1.2.8"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "node-red"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. The vulnerability is patched in the 1.2.8 release. A workaround is to ensure only authorized users are able to access the editor url."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
                    }
                  ]
                },
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/node-red/node-red/security/advisories/GHSA-xp9c-82x8-7f67",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/node-red/node-red/security/advisories/GHSA-xp9c-82x8-7f67"
                },
                {
                  "name": "https://www.npmjs.com/package/@node-red/runtime",
                  "refsource": "MISC",
                  "url": "https://www.npmjs.com/package/@node-red/runtime"
                },
                {
                  "name": "https://www.npmjs.com/package/@node-red/editor-api",
                  "refsource": "MISC",
                  "url": "https://www.npmjs.com/package/@node-red/editor-api"
                },
                {
                  "name": "https://github.com/node-red/node-red/releases/tag/1.2.8",
                  "refsource": "MISC",
                  "url": "https://github.com/node-red/node-red/releases/tag/1.2.8"
                }
              ]
            },
            "source": {
              "advisory": "GHSA-xp9c-82x8-7f67",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2021-21297",
        "datePublished": "2021-02-26T16:20:17.000Z",
        "dateReserved": "2020-12-22T00:00:00.000Z",
        "dateUpdated": "2024-08-03T18:09:15.688Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3223 (GCVE-0-2021-3223)

    Vulnerability from nvd – Published: 2021-01-26 05:58 – Updated: 2024-08-03 16:53
    VLAI Shadowserver KEVIntel
    Summary
    Node-RED-Dashboard before 2.26.2 allows ui_base/js/..%2f directory traversal to read files.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T16:53:16.510Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/node-red/node-red-dashboard/issues/669"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/node-red/node-red-dashboard/releases/tag/2.26.2"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Node-RED-Dashboard before 2.26.2 allows ui_base/js/..%2f directory traversal to read files."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-01-26T05:58:52.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/node-red/node-red-dashboard/issues/669"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/node-red/node-red-dashboard/releases/tag/2.26.2"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2021-3223",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Node-RED-Dashboard before 2.26.2 allows ui_base/js/..%2f directory traversal to read files."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/node-red/node-red-dashboard/issues/669",
                  "refsource": "MISC",
                  "url": "https://github.com/node-red/node-red-dashboard/issues/669"
                },
                {
                  "name": "https://github.com/node-red/node-red-dashboard/releases/tag/2.26.2",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/node-red/node-red-dashboard/releases/tag/2.26.2"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2021-3223",
        "datePublished": "2021-01-26T05:58:52.000Z",
        "dateReserved": "2021-01-22T00:00:00.000Z",
        "dateUpdated": "2024-08-03T16:53:16.510Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-15607 (GCVE-0-2019-15607)

    Vulnerability from nvd – Published: 2020-01-28 02:13 – Updated: 2024-08-05 00:49
    VLAI
    Summary
    A stored XSS vulnerability is present within node-red (version: <= 0.20.7) npm package, which is a visual tool for wiring the Internet of Things. This issue will allow the attacker to steal session cookies, deface web applications, etc.
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-site Scripting (XSS) - Stored (CWE-79)
    Assigner
    References
    URL Tags
    https://hackerone.com/reports/681986 x_refsource_MISC
    Impacted products
    Vendor Product Version
    n/a node-red Affected: 0.20.7 and earlier
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T00:49:13.677Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://hackerone.com/reports/681986"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "node-red",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.20.7 and earlier"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A stored XSS vulnerability is present within node-red (version: \u003c= 0.20.7) npm package, which is a visual tool for wiring the Internet of Things. This issue will allow the attacker to steal session cookies, deface web applications, etc."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross-site Scripting (XSS) - Stored (CWE-79)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-01-28T02:13:16.000Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://hackerone.com/reports/681986"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "support@hackerone.com",
              "ID": "CVE-2019-15607",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "node-red",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "0.20.7 and earlier"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A stored XSS vulnerability is present within node-red (version: \u003c= 0.20.7) npm package, which is a visual tool for wiring the Internet of Things. This issue will allow the attacker to steal session cookies, deface web applications, etc."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-site Scripting (XSS) - Stored (CWE-79)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://hackerone.com/reports/681986",
                  "refsource": "MISC",
                  "url": "https://hackerone.com/reports/681986"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2019-15607",
        "datePublished": "2020-01-28T02:13:16.000Z",
        "dateReserved": "2019-08-26T00:00:00.000Z",
        "dateUpdated": "2024-08-05T00:49:13.677Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-10756 (GCVE-0-2019-10756)

    Vulnerability from nvd – Published: 2019-10-08 18:58 – Updated: 2024-08-04 22:32
    VLAI
    Summary
    It is possible to inject JavaScript within node-red-dashboard versions prior to version 2.17.0 due to the ui_notification node accepting raw HTML by default.
    Severity
    No CVSS data available.
    CWE
    • Cross-site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a node-red-dashboard Affected: All versions prior to version 2.17.0
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T22:32:01.593Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://snyk.io/vuln/SNYK-JS-NODEREDDASHBOARD-471939"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "node-red-dashboard",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "All versions prior to version 2.17.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "It is possible to inject JavaScript within node-red-dashboard versions prior to version 2.17.0 due to the ui_notification node accepting raw HTML by default."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-10-08T18:58:18.000Z",
            "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
            "shortName": "snyk"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://snyk.io/vuln/SNYK-JS-NODEREDDASHBOARD-471939"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "report@snyk.io",
              "ID": "CVE-2019-10756",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "node-red-dashboard",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "All versions prior to version 2.17.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "It is possible to inject JavaScript within node-red-dashboard versions prior to version 2.17.0 due to the ui_notification node accepting raw HTML by default."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://snyk.io/vuln/SNYK-JS-NODEREDDASHBOARD-471939",
                  "refsource": "CONFIRM",
                  "url": "https://snyk.io/vuln/SNYK-JS-NODEREDDASHBOARD-471939"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "assignerShortName": "snyk",
        "cveId": "CVE-2019-10756",
        "datePublished": "2019-10-08T18:58:18.000Z",
        "dateReserved": "2019-04-03T00:00:00.000Z",
        "dateUpdated": "2024-08-04T22:32:01.593Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-3783 (GCVE-0-2022-3783)

    Vulnerability from cvelistv5 – Published: 2022-10-31 00:00 – Updated: 2025-04-15 13:23
    VLAI
    Title
    node-red-dashboard ui_text Format ui-component-ctrl.js cross site scripting
    Summary
    A vulnerability, which was classified as problematic, has been found in node-red-dashboard. This issue affects some unknown processing of the file components/ui-component/ui-component-ctrl.js of the component ui_text Format Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The name of the patch is 9305d1a82f19b235dfad24a7d1dd4ed244db7743. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-212555.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-707 - Improper Neutralization -> CWE-74 Injection -> CWE-79 Cross Site Scripting
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T01:20:58.330Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/node-red/node-red-dashboard/issues/772"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/node-red/node-red-dashboard/commit/9305d1a82f19b235dfad24a7d1dd4ed244db7743"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://vuldb.com/?id.212555"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-3783",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-14T16:58:58.752975Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-15T13:23:12.687Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "node-red-dashboard",
              "vendor": "unspecified",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability, which was classified as problematic, has been found in node-red-dashboard. This issue affects some unknown processing of the file components/ui-component/ui-component-ctrl.js of the component ui_text Format Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The name of the patch is 9305d1a82f19b235dfad24a7d1dd4ed244db7743. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-212555."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-707",
                  "description": "CWE-707 Improper Neutralization -\u003e CWE-74 Injection -\u003e CWE-79 Cross Site Scripting",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-10-31T00:00:00.000Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "url": "https://github.com/node-red/node-red-dashboard/issues/772"
            },
            {
              "url": "https://github.com/node-red/node-red-dashboard/commit/9305d1a82f19b235dfad24a7d1dd4ed244db7743"
            },
            {
              "url": "https://vuldb.com/?id.212555"
            }
          ],
          "title": "node-red-dashboard ui_text Format ui-component-ctrl.js cross site scripting",
          "x_generator": "vuldb.com"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2022-3783",
        "datePublished": "2022-10-31T00:00:00.000Z",
        "dateReserved": "2022-10-31T00:00:00.000Z",
        "dateUpdated": "2025-04-15T13:23:12.687Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-21298 (GCVE-0-2021-21298)

    Vulnerability from cvelistv5 – Published: 2021-02-26 16:25 – Updated: 2024-08-03 18:09
    VLAI
    Title
    Path traversal in Node-Red
    Summary
    Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with `projects.read` permission is able to access any file via the Projects API. The issue has been patched in Node-RED 1.2.8. The vulnerability applies only to the Projects feature which is not enabled by default in Node-RED. The primary workaround is not give untrusted users read access to the Node-RED editor.
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    node-red node-red Affected: < 1.2.8
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T18:09:15.856Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.npmjs.com/package/%40node-red/runtime"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/node-red/node-red/releases/tag/1.2.8"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/node-red/node-red/security/advisories/GHSA-m33v-338h-4v9f"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/node-red/node-red/commit/74db3e17d075f23d9c95d7871586cf461524c456"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "node-red",
              "vendor": "node-red",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.2.8"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with `projects.read` permission is able to access any file via the Projects API. The issue has been patched in Node-RED 1.2.8. The vulnerability applies only to the Projects feature which is not enabled by default in Node-RED. The primary workaround is not give untrusted users read access to the Node-RED editor."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-02-26T16:25:14.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.npmjs.com/package/%40node-red/runtime"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/node-red/node-red/releases/tag/1.2.8"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/node-red/node-red/security/advisories/GHSA-m33v-338h-4v9f"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/node-red/node-red/commit/74db3e17d075f23d9c95d7871586cf461524c456"
            }
          ],
          "source": {
            "advisory": "GHSA-m33v-338h-4v9f",
            "discovery": "UNKNOWN"
          },
          "title": "Path traversal in Node-Red",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security-advisories@github.com",
              "ID": "CVE-2021-21298",
              "STATE": "PUBLIC",
              "TITLE": "Path traversal in Node-Red"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "node-red",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c 1.2.8"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "node-red"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with `projects.read` permission is able to access any file via the Projects API. The issue has been patched in Node-RED 1.2.8. The vulnerability applies only to the Projects feature which is not enabled by default in Node-RED. The primary workaround is not give untrusted users read access to the Node-RED editor."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.npmjs.com/package/@node-red/runtime",
                  "refsource": "MISC",
                  "url": "https://www.npmjs.com/package/@node-red/runtime"
                },
                {
                  "name": "https://github.com/node-red/node-red/releases/tag/1.2.8",
                  "refsource": "MISC",
                  "url": "https://github.com/node-red/node-red/releases/tag/1.2.8"
                },
                {
                  "name": "https://github.com/node-red/node-red/security/advisories/GHSA-m33v-338h-4v9f",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/node-red/node-red/security/advisories/GHSA-m33v-338h-4v9f"
                },
                {
                  "name": "https://github.com/node-red/node-red/commit/74db3e17d075f23d9c95d7871586cf461524c456",
                  "refsource": "MISC",
                  "url": "https://github.com/node-red/node-red/commit/74db3e17d075f23d9c95d7871586cf461524c456"
                }
              ]
            },
            "source": {
              "advisory": "GHSA-m33v-338h-4v9f",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2021-21298",
        "datePublished": "2021-02-26T16:25:14.000Z",
        "dateReserved": "2020-12-22T00:00:00.000Z",
        "dateUpdated": "2024-08-03T18:09:15.856Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-21297 (GCVE-0-2021-21297)

    Vulnerability from cvelistv5 – Published: 2021-02-26 16:20 – Updated: 2024-08-03 18:09
    VLAI
    Title
    Prototype Pollution in Node-Red
    Summary
    Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. The vulnerability is patched in the 1.2.8 release. A workaround is to ensure only authorized users are able to access the editor url.
    CWE
    • CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
    • CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
    Assigner
    Impacted products
    Vendor Product Version
    node-red node-red Affected: < 1.2.8
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T18:09:15.688Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/node-red/node-red/security/advisories/GHSA-xp9c-82x8-7f67"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.npmjs.com/package/%40node-red/runtime"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.npmjs.com/package/%40node-red/editor-api"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/node-red/node-red/releases/tag/1.2.8"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "node-red",
              "vendor": "node-red",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.2.8"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. The vulnerability is patched in the 1.2.8 release. A workaround is to ensure only authorized users are able to access the editor url."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1321",
                  "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-915",
                  "description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-02-26T16:20:17.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/node-red/node-red/security/advisories/GHSA-xp9c-82x8-7f67"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.npmjs.com/package/%40node-red/runtime"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.npmjs.com/package/%40node-red/editor-api"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/node-red/node-red/releases/tag/1.2.8"
            }
          ],
          "source": {
            "advisory": "GHSA-xp9c-82x8-7f67",
            "discovery": "UNKNOWN"
          },
          "title": "Prototype Pollution in Node-Red",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security-advisories@github.com",
              "ID": "CVE-2021-21297",
              "STATE": "PUBLIC",
              "TITLE": "Prototype Pollution in Node-Red"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "node-red",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c 1.2.8"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "node-red"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. The vulnerability is patched in the 1.2.8 release. A workaround is to ensure only authorized users are able to access the editor url."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
                    }
                  ]
                },
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/node-red/node-red/security/advisories/GHSA-xp9c-82x8-7f67",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/node-red/node-red/security/advisories/GHSA-xp9c-82x8-7f67"
                },
                {
                  "name": "https://www.npmjs.com/package/@node-red/runtime",
                  "refsource": "MISC",
                  "url": "https://www.npmjs.com/package/@node-red/runtime"
                },
                {
                  "name": "https://www.npmjs.com/package/@node-red/editor-api",
                  "refsource": "MISC",
                  "url": "https://www.npmjs.com/package/@node-red/editor-api"
                },
                {
                  "name": "https://github.com/node-red/node-red/releases/tag/1.2.8",
                  "refsource": "MISC",
                  "url": "https://github.com/node-red/node-red/releases/tag/1.2.8"
                }
              ]
            },
            "source": {
              "advisory": "GHSA-xp9c-82x8-7f67",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2021-21297",
        "datePublished": "2021-02-26T16:20:17.000Z",
        "dateReserved": "2020-12-22T00:00:00.000Z",
        "dateUpdated": "2024-08-03T18:09:15.688Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3223 (GCVE-0-2021-3223)

    Vulnerability from cvelistv5 – Published: 2021-01-26 05:58 – Updated: 2024-08-03 16:53
    VLAI Shadowserver KEVIntel
    Summary
    Node-RED-Dashboard before 2.26.2 allows ui_base/js/..%2f directory traversal to read files.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T16:53:16.510Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/node-red/node-red-dashboard/issues/669"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/node-red/node-red-dashboard/releases/tag/2.26.2"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Node-RED-Dashboard before 2.26.2 allows ui_base/js/..%2f directory traversal to read files."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-01-26T05:58:52.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/node-red/node-red-dashboard/issues/669"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/node-red/node-red-dashboard/releases/tag/2.26.2"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2021-3223",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Node-RED-Dashboard before 2.26.2 allows ui_base/js/..%2f directory traversal to read files."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/node-red/node-red-dashboard/issues/669",
                  "refsource": "MISC",
                  "url": "https://github.com/node-red/node-red-dashboard/issues/669"
                },
                {
                  "name": "https://github.com/node-red/node-red-dashboard/releases/tag/2.26.2",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/node-red/node-red-dashboard/releases/tag/2.26.2"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2021-3223",
        "datePublished": "2021-01-26T05:58:52.000Z",
        "dateReserved": "2021-01-22T00:00:00.000Z",
        "dateUpdated": "2024-08-03T16:53:16.510Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-15607 (GCVE-0-2019-15607)

    Vulnerability from cvelistv5 – Published: 2020-01-28 02:13 – Updated: 2024-08-05 00:49
    VLAI
    Summary
    A stored XSS vulnerability is present within node-red (version: <= 0.20.7) npm package, which is a visual tool for wiring the Internet of Things. This issue will allow the attacker to steal session cookies, deface web applications, etc.
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-site Scripting (XSS) - Stored (CWE-79)
    Assigner
    References
    URL Tags
    https://hackerone.com/reports/681986 x_refsource_MISC
    Impacted products
    Vendor Product Version
    n/a node-red Affected: 0.20.7 and earlier
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T00:49:13.677Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://hackerone.com/reports/681986"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "node-red",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.20.7 and earlier"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A stored XSS vulnerability is present within node-red (version: \u003c= 0.20.7) npm package, which is a visual tool for wiring the Internet of Things. This issue will allow the attacker to steal session cookies, deface web applications, etc."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross-site Scripting (XSS) - Stored (CWE-79)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-01-28T02:13:16.000Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://hackerone.com/reports/681986"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "support@hackerone.com",
              "ID": "CVE-2019-15607",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "node-red",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "0.20.7 and earlier"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A stored XSS vulnerability is present within node-red (version: \u003c= 0.20.7) npm package, which is a visual tool for wiring the Internet of Things. This issue will allow the attacker to steal session cookies, deface web applications, etc."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-site Scripting (XSS) - Stored (CWE-79)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://hackerone.com/reports/681986",
                  "refsource": "MISC",
                  "url": "https://hackerone.com/reports/681986"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2019-15607",
        "datePublished": "2020-01-28T02:13:16.000Z",
        "dateReserved": "2019-08-26T00:00:00.000Z",
        "dateUpdated": "2024-08-05T00:49:13.677Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-10756 (GCVE-0-2019-10756)

    Vulnerability from cvelistv5 – Published: 2019-10-08 18:58 – Updated: 2024-08-04 22:32
    VLAI
    Summary
    It is possible to inject JavaScript within node-red-dashboard versions prior to version 2.17.0 due to the ui_notification node accepting raw HTML by default.
    Severity
    No CVSS data available.
    CWE
    • Cross-site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a node-red-dashboard Affected: All versions prior to version 2.17.0
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T22:32:01.593Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://snyk.io/vuln/SNYK-JS-NODEREDDASHBOARD-471939"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "node-red-dashboard",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "All versions prior to version 2.17.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "It is possible to inject JavaScript within node-red-dashboard versions prior to version 2.17.0 due to the ui_notification node accepting raw HTML by default."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-10-08T18:58:18.000Z",
            "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
            "shortName": "snyk"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://snyk.io/vuln/SNYK-JS-NODEREDDASHBOARD-471939"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "report@snyk.io",
              "ID": "CVE-2019-10756",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "node-red-dashboard",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "All versions prior to version 2.17.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "It is possible to inject JavaScript within node-red-dashboard versions prior to version 2.17.0 due to the ui_notification node accepting raw HTML by default."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://snyk.io/vuln/SNYK-JS-NODEREDDASHBOARD-471939",
                  "refsource": "CONFIRM",
                  "url": "https://snyk.io/vuln/SNYK-JS-NODEREDDASHBOARD-471939"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "assignerShortName": "snyk",
        "cveId": "CVE-2019-10756",
        "datePublished": "2019-10-08T18:58:18.000Z",
        "dateReserved": "2019-04-03T00:00:00.000Z",
        "dateUpdated": "2024-08-04T22:32:01.593Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }