CVE-2021-26504
CVSS 3.1 Score 7.5 of 10 (high)
Details
Summary
CVE-2021-26504 is a directory traversal vulnerability affecting the node-red-contrib-huemagic package version 3.0.0. An attacker can exploit this weakness in Foddy's hue-magic.js file, which is used in the res.sendFile API, to access sensitive information. The vulnerability arises when the API fails to properly validate user-supplied input, enabling a crafted request to bypass intended file access restrictions. This issue poses a significant risk, as it can potentially lead to the disclosure of critical data. It is recommended that users upgrade to a patched version of node-red-contrib-huemagic as soon as possible to mitigate this threat.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.