Description
It is possible to inject JavaScript within node-red-dashboard versions prior to version 2.17.0 due to the ui_notification node accepting raw HTML by default.
Remediation
References
https://snyk.io/vuln/SNYK-JS-NODEREDDASHBOARD-471939
Related Vulnerabilities
CVE-2019-20920 Vulnerability in npm package handlebars
CVE-2022-45400 Vulnerability in maven package org.jvnet.hudson.plugins:japex
CVE-2023-27564 Vulnerability in npm package n8n
CVE-2023-3432 Vulnerability in maven package net.sourceforge.plantuml:plantuml
CVE-2020-36183 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind