CVE-2019-10756

Vulnerability

Overview

The vulnerability is a Cross-site Scripting (XSS) issue in the node-red-dashboard component, affecting versions before 2.17.0. The root cause is that the ui_notification node accepts raw HTML by default, without proper sanitization or escaping [1][2]. This allows an attacker to inject arbitrary JavaScript code through crafted notification messages.

Exploitation

An attacker can exploit this vulnerability by crafting a notification message containing malicious JavaScript. The attacker needs to be able to inject content into the ui_notification node, which typically requires some level of access to the Node-RED instance (e.g., ability to send notifications). The injected script will then be executed when any user views the dashboard that includes the notification [2]. The attack does not require authentication if the notification node is exposed, but often it is used by authenticated users.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to theft of sensitive data, session hijacking, or defacement of the dashboard. The impact is high as it compromises the security of the Node-RED dashboard and its users [2].

Mitigation

The vulnerability is fixed in node-red-dashboard version 2.17.0. Users should upgrade to this version or later immediately. No known workarounds are mentioned besides upgrading [2]. The vulnerability was disclosed by Goh Jing Loon (GovTech) and is tracked as SNYK-JS-NODEREDDASHBOARD-471939 [1][2].