-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stemmed from using AngularJS's $interpolate service on unsanitized user input. The patch added checks for 'constructor' in input strings to prevent prototype chain access. The affected functions were those binding user-controlled properties to $interpolate: getText, getLabel, getTooltip, getColor, getIcon, and getUnits in ui-component-ctrl.js. These functions processed user input without proper sanitization, enabling XSS when malicious payloads like {{constructor.constructor('alert(1)')()}} were used.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| node-red-dashboard | npm | < 3.2.0 | 3.2.0 |