CVE-2020-15156

Опубликовано: 26 авг. 2020

Источник: nvd

CVSS3: 6.8

CVSS3: 8.1

CVSS2: 4.3

EPSS Низкий

Описание

In nodebb-plugin-blog-comments before version 0.7.0, a logged in user is vulnerable to an XSS attack which could allow a third party to post on their behalf on the forum. This is due to lack of CSRF validation.

Ссылки

https://github.com/psychobunny/nodebb-plugin-blog-comments/commit/cf43beedb05131937ef46f365ab0a0c6fa6ac618
Patch
Third Party Advisory
https://github.com/psychobunny/nodebb-plugin-blog-comments/security/advisories/GHSA-43m5-c88r-cjvv
Third Party Advisory
https://www.npmjs.com/package/nodebb-plugin-blog-comments
Third Party Advisory
https://github.com/psychobunny/nodebb-plugin-blog-comments/commit/cf43beedb05131937ef46f365ab0a0c6fa6ac618
Patch
Third Party Advisory
https://github.com/psychobunny/nodebb-plugin-blog-comments/security/advisories/GHSA-43m5-c88r-cjvv
Third Party Advisory
https://www.npmjs.com/package/nodebb-plugin-blog-comments
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:nodebb:blog_comments:*:*:*:*:*:node.js:*:*

Версия до 0.7.0 (исключая)

EPSS

Процентиль: 43%

0.00206

Низкий

6.8 Medium

CVSS3

8.1 High

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-352

Связанные уязвимости

GHSA-43m5-c88r-cjvv

CVSS3: 6.8

github

больше 5 лет назад

XSS due to lack of CSRF validation for replying/publishing

EPSS

Процентиль: 43%

0.00206

Низкий

6.8 Medium

CVSS3

8.1 High

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-352