Headline
CVE-2022-3783: User can inject JavaScript code into the text node which can cause security issues( Cross-Site Scripting) · Issue #772 · node-red/node-red-dashboard
A vulnerability, which was classified as problematic, has been found in node-red-dashboard. This issue affects some unknown processing of the file components/ui-component/ui-component-ctrl.js of the component ui_text Format Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The name of the patch is 9305d1a82f19b235dfad24a7d1dd4ed244db7743. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-212555.
What are the steps to reproduce?
Drag Dashboard Text Node and inject node into the Node-red workspace . Click on Edit text node and add value format value as {{constructor.constructor('alert(document.cookie)')()}}.
What happens?
Malicious script code can be injected permanently into the Node-red. Using injected code, an
user could, for example, steal Node Red identifiers of any other sensitive information.
What do you expect to happen?
when Data in JavaScript format is injected to text node output must be converted to string .
Please tell us about your environment:
- [ x] Node-RED-Dashboard version: 3.1.2
- [ x] Node-RED version: 2.1.4
- [ x] node.js version: 14.18.2
- npm version:
- Platform/OS: docker
- [ x ] Browser: Chrome
Related news
node-red-dashboard contains a cross-site scripting vulnerability. This issue affects some unknown processing of the file `components/ui-component/ui-component-ctrl.js` of the component ui_text Format Handler. The attack may be initiated remotely. The issue is patched in version 3.2.0.