Vineetpandey

**Name of the Vulnerable Software and Affected Versions** node-red versions prior to 0.20.8 **Description** A stored XSS issue is present in the node-red npm package, a visual tool for wiring the Internet of Things. This allows attackers to steal session cookies and deface web applications by executing arbitrary JavaScript in the victim's browser. The issue arises from the failure to sanitize the `name` field in new Flows. **Recommendations** Upgrade to version 0.20.8 or later.

**Name of the Vulnerable Software and Affected Versions** http server versions all **Description** A path traversal issue exists, allowing an attacker to read arbitrary system files. Additionally, all versions of http server are vulnerable to Cross-Site Scripting (XSS) due to the failure to sanitize filenames, enabling attackers to execute arbitrary JavaScript in the victim's browser through files with malicious code in their names. **Recommendations** For all versions, consider using an alternative package until a fix is made available. As a temporary workaround, consider restricting access to sensitive system files and avoiding the use of filenames that could contain malicious code.