GHSA-43m5-c88r-cjvv

Опубликовано: 26 авг. 2020

Источник: github

Github: Прошло ревью

CVSS3: 6.8

Описание

XSS due to lack of CSRF validation for replying/publishing

Impact

Due to lack of CSRF validation, a logged in user is potentially vulnerable to an XSS attack which could allow a third party to post on their behalf on the forum.

Patches

Upgrade to the latest version v0.7.0

Workarounds

You can cherry-pick the following commit: https://github.com/psychobunny/nodebb-plugin-blog-comments/commit/cf43beedb05131937ef46f365ab0a0c6fa6ac618

References

Visit https://community.nodebb.org if you have any questions about this issue or on how to patch / upgrade your instance.

Ссылки

Пакеты

Наименование

nodebb-plugin-blog-comments

npm

Затронутые версииВерсия исправления

< 0.7.0

0.7.0

EPSS

Процентиль: 43%

0.00206

Низкий

6.8 Medium

CVSS3

CVE ID

CVE-2020-15156

Дефекты

CWE-352

Связанные уязвимости

CVE-2020-15156

CVSS3: 6.8

nvd

больше 5 лет назад

In nodebb-plugin-blog-comments before version 0.7.0, a logged in user is vulnerable to an XSS attack which could allow a third party to post on their behalf on the forum. This is due to lack of CSRF validation.

EPSS

Процентиль: 43%

0.00206

Низкий

6.8 Medium

CVSS3

CVE ID

CVE-2020-15156

Дефекты

CWE-352