CVE-2019-10756

Severity CVSS v4.0:
Pending analysis
Type:
CWE-79 Cross-Site Scripting (XSS)
Publication date:
08/10/2019
Last modified:
17/10/2019

Description

It is possible to inject JavaScript within node-red-dashboard versions prior to version 2.17.0 due to the ui_notification node accepting raw HTML by default.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:nodered:node-red-dashboard:*:*:*:*:*:node.js:*:* 2.17.0 (excluding)


References to Advisories, Solutions, and Tools