Description
It is possible to inject JavaScript within node-red-dashboard versions prior to version 2.17.0 due to the ui_notification node accepting raw HTML by default.
Remediation
References
https://snyk.io/vuln/SNYK-JS-NODEREDDASHBOARD-471939
Related Vulnerabilities
CVE-2020-6464 Vulnerability in npm package electron
CVE-2023-33695 Vulnerability in maven package cn.hutool:hutool-core
CVE-2019-15955 Vulnerability in npm package total.js
CVE-2018-14042 Vulnerability in maven package org.webjars.bowergithub.twbs:bootstrap-sass
CVE-2023-22465 Vulnerability in maven package org.http4s:http4s-core_3