PT-2020-9729 · Node Red · Node-Red

Vineet Pandey

Published

2020-01-28

Updated

2020-01-30

CVE-2019-15607

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions node-red versions prior to 0.20.8

Description A stored XSS issue is present in the node-red npm package, a visual tool for wiring the Internet of Things. This allows attackers to steal session cookies and deface web applications by executing arbitrary JavaScript in the victim's browser. The issue arises from the failure to sanitize the name field in new Flows.

Recommendations Upgrade to version 0.20.8 or later.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2019-15607

GHSA-8W65-XJC5-9W79

Affected Products

Node-Red

PT-2020-9729 · Node Red · Node-Red

CVE-2019-15607

Weakness Enumeration

Related Identifiers

Affected Products

References · 5