Node Red Dashboard
CVE-2021-3223
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
Node-RED-Dashboard before 2.26.2 allows ui_base/js/..%2f directory traversal to read files.
AnalysisAI
Node-RED-Dashboard before 2.26.2 allows ui_base/js/..%2f directory traversal to read files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. Node-RED-Dashboard before 2.26.2 allows ui_base/js/..%2f directory traversal to read files. Affected products include: Nodered Node-Red-Dashboard. Version information: before 2.26.2.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.
More in Node Red Dashboard
View allA vulnerability, which was classified as problematic, has been found in node-red-dashboard.js of the component ui_text F
It is possible to inject JavaScript within node-red-dashboard versions prior to version 2.17.0 due to the ui_notificatio
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today