Skip to content

XSS due to lack of CSRF validation for replying/publishing

Moderate severity GitHub Reviewed Published Aug 25, 2020 in psychobunny/nodebb-plugin-blog-comments • Updated Jan 9, 2023

Package

npm nodebb-plugin-blog-comments (npm)

Affected versions

< 0.7.0

Patched versions

0.7.0

Description

Impact

Due to lack of CSRF validation, a logged in user is potentially vulnerable to an XSS attack which could allow a third party to post on their behalf on the forum.

Patches

Upgrade to the latest version v0.7.0

Workarounds

You can cherry-pick the following commit: psychobunny/nodebb-plugin-blog-comments@cf43bee

References

Visit https://community.nodebb.org if you have any questions about this issue or on how to patch / upgrade your instance.

References

@psychobunny psychobunny published to psychobunny/nodebb-plugin-blog-comments Aug 25, 2020
Reviewed Aug 26, 2020
Published to the GitHub Advisory Database Aug 26, 2020
Last updated Jan 9, 2023

Severity

Moderate
6.8
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Weaknesses

CVE ID

CVE-2020-15156

GHSA ID

GHSA-43m5-c88r-cjvv

Source code

No known source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.