Description
It is possible to inject JavaScript within node-red-dashboard versions prior to version 2.17.0 due to the ui_notification node accepting raw HTML by default.
Remediation
References
https://snyk.io/vuln/SNYK-JS-NODEREDDASHBOARD-471939
Related Vulnerabilities
CVE-2021-21174 Vulnerability in npm package electron
CVE-2023-37943 Vulnerability in maven package org.jenkins-ci.plugins:active-directory
CVE-2023-26136 Vulnerability in npm package tough-cookie
CVE-2022-23812 Vulnerability in npm package node-ipc
CVE-2020-13934 Vulnerability in maven package org.apache.tomcat:tomcat-coyote