Miggo Logo
Miggo Vulnerability Database
CVE-2022-3783

CVE-2022-3783: node-red-dashboard vulnerable to Cross-site Scripting

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-3783
GHSA ID
GHSA-vrv9-3x3w-ffxw
EPSS Score
0.23116%
CWE
CWE-79
Published
11/1/2022
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
node-red-dashboardnpm< 3.2.03.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from using AngularJS's $interpolate service on unsanitized user input. The patch added checks for 'constructor' in input strings to prevent prototype chain access. The affected functions were those binding user-controlled properties to $interpolate: getText, getLabel, getTooltip, getColor, getIcon, and getUnits in ui-component-ctrl.js. These functions processed user input without proper sanitization, enabling XSS when malicious payloads like {{constructor.constructor('alert(1)')()}} were used.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

no**-r**-**s**o*r* *ont*ins * *ross-sit* s*riptin* vuln*r**ility. T*is issu* *****ts som* unknown pro**ssin* o* t** *il* `*ompon*nts/ui-*ompon*nt/ui-*ompon*nt-*trl.js` o* t** *ompon*nt ui_t*xt *orm*t **n*l*r. T** *tt**k m*y ** initi*t** r*mot*ly. T**

Reasoning

T** vuln*r**ility st*mm** *rom usin* *n*ul*rJS's $int*rpol*t* s*rvi** on uns*nitiz** us*r input. T** p*t** ***** ****ks *or '*onstru*tor' in input strin*s to pr*v*nt prototyp* ***in ****ss. T** *****t** *un*tions w*r* t*os* *in*in* us*r-*ontroll** pr