You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Okay, so in many cases just clicking on the link doesn't give you XSS, because your browser automatically URL encodes the angle brackets. But if you click on the link, intercept your request (use Burp Suite or Fiddler or similar) and URL decode the path, it works.
Depending on your deployment of NodeBB's surrounding infrastructure, this decoding may be done at some point before the request hits NodeBB. In those cases this would certainly be an XSS vector.
There is a reflected XSS vulnerability when putting Javascript in the following NodeBB URL.
http://forum.tld/user/1<script>alert(1)</script>
The text was updated successfully, but these errors were encountered: