Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) n8n is a n8n Workflow Automation Tool Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via a lack of MIME type validation on uploaded binary files, which can be controlled through a GET parameter. This allows an authenticated attacker with member-level privileges to upload a crafted HTML file containing malicious code. If another authenticated user visits the binary data endpoint with the MIME type specified as `text/html`, the embedded script will execute within the user's browser session, potentially enabling account takeover, for instance, by initiating an unauthorized email address change. How to fix Cross-site Scripting (XSS)? Upgrade `n8n` to version 1.90.0 or higher.	<1.90.0

Cross-site Scripting (XSS)

n8n is a n8n Workflow Automation Tool

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via a lack of MIME type validation on uploaded binary files, which can be controlled through a GET parameter. This allows an authenticated attacker with member-level privileges to upload a crafted HTML file containing malicious code. If another authenticated user visits the binary data endpoint with the MIME type specified as text/html, the embedded script will execute within the user's browser session, potentially enabling account takeover, for instance, by initiating an unauthorized email address change.

How to fix Cross-site Scripting (XSS)?

Upgrade n8n to version 1.90.0 or higher.

<1.90.0

Go back to all versions of this package