Description
It is possible to inject JavaScript within node-red-dashboard versions prior to version 2.17.0 due to the ui_notification node accepting raw HTML by default.
Remediation
References
https://snyk.io/vuln/SNYK-JS-NODEREDDASHBOARD-471939
Related Vulnerabilities
CVE-2019-15532 Vulnerability in npm package cyberchef
CVE-2021-32828 Vulnerability in maven package org.nuxeo.ecm.platform:nuxeo-platform-oauth
CVE-2023-26135 Vulnerability in npm package flatnest
CVE-2021-21346 Vulnerability in maven package com.thoughtworks.xstream:xstream
CVE-2023-36478 Vulnerability in maven package org.eclipse.jetty.http3:http3-qpack