In Node-RED-Dashboard before 2.26.2 there is a path traversal vulnerability. In /nodes/ui_base.js
, the URL is matched with β/ui_base/js/*β and then passed to path.join
. The lack of verification of the final path leads to a path traversal vulnerability.
Upgrade to fix version 2.26.2 or later
CPE | Name | Operator | Version |
---|---|---|---|
node-red-dashboard | lt | 2.26.2 |