Nick O'Leary

2 exploits Active since Feb 2021

CVE-2021-21298 WRITEUP LOW WRITEUP

Node-Red <1.2.8 - Path Traversal

Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with `projects.read` permission is able to access any file via the Projects API. The issue has been patched in Node-RED 1.2.8. The vulnerability applies only to the Projects feature which is not enabled by default in Node-RED. The primary workaround is not give untrusted users read access to the Node-RED editor.

CVSS 3.5

View Code

CVE-2024-22207 WRITEUP MEDIUM WRITEUP

Fastify Swagger-UI - Information Disclosure

fastify-swagger-ui is a Fastify plugin for serving Swagger UI. Prior to 2.1.0, the default configuration of `@fastify/swagger-ui` without `baseDir` set will lead to all files in the module's directory being exposed via http routes served by the module. The vulnerability is fixed in v2.1.0. Setting the `baseDir` option can also work around this vulnerability.

CVSS 5.3

View Code