GHSA-8w65-xjc5-9w79

Source

https://github.com/advisories/GHSA-8w65-xjc5-9w79

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/01/GHSA-8w65-xjc5-9w79/GHSA-8w65-xjc5-9w79.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-8w65-xjc5-9w79

Aliases

CVE-2019-15607

Published

2020-01-30T21:00:21Z

Modified

2023-11-08T04:01:14.888606Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Cross-Site Scripting in node-red

Details

Versions of node-red prior to 0.20.8are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize the name field in new Flows, allowing attackers to execute arbitrary JavaScript in the victim's browser.

Recommendation

Upgrade to version 0.18.6 or later.

Database specific

{
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ],
    "nvd_published_at": null,
    "github_reviewed_at": "2020-01-29T22:55:48Z"
}

References

Affected packages

npm / node-red

Package

Name: node-red; View open source insights on deps.dev
Purl: pkg:npm/node-red

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.20.8

Database specific

last_known_affected_version_range

"<= 0.20.7"