Description
It is possible to inject JavaScript within node-red-dashboard versions prior to version 2.17.0 due to the ui_notification node accepting raw HTML by default.
Remediation
References
https://snyk.io/vuln/SNYK-JS-NODEREDDASHBOARD-471939
Related Vulnerabilities
CVE-2019-10758 Vulnerability in npm package mongo-express
CVE-2022-22965 Vulnerability in maven package org.springframework:spring-webmvc
CVE-2020-15152 Vulnerability in npm package ftp-srv
CVE-2022-41954 Vulnerability in maven package net.sf.mpxj:mpxj
CVE-2023-33246 Vulnerability in maven package org.apache.rocketmq:rocketmq-broker