CVE-2021-43787

Опубликовано: 29 нояб. 2021

Источник: nvd

CVSS3: 9

CVSS3: 6.1

CVSS2: 4.3

EPSS Низкий

Описание

Nodebb is an open source Node.js based forum software. In affected versions a prototype pollution vulnerability in the uploader module allowed a malicious user to inject arbitrary data (i.e. javascript) into the DOM, theoretically allowing for an account takeover when used in conjunction with a path traversal vulnerability disclosed at the same time as this report. The vulnerability has been patched as of v1.18.5. Users are advised to upgrade as soon as possible.

Ссылки

https://blog.sonarsource.com/nodebb-remote-code-execution-with-one-shot/
Exploit
Third Party Advisory
https://github.com/NodeBB/NodeBB/commit/1783f918bc19568f421473824461ff2ed7755e4c
Patch
Third Party Advisory
https://github.com/NodeBB/NodeBB/releases/tag/v1.18.5
Patch
Release Notes
Third Party Advisory
https://github.com/NodeBB/NodeBB/security/advisories/GHSA-wx69-rvg3-x7fc
Patch
Third Party Advisory
https://blog.sonarsource.com/nodebb-remote-code-execution-with-one-shot/
Exploit
Third Party Advisory
https://github.com/NodeBB/NodeBB/commit/1783f918bc19568f421473824461ff2ed7755e4c
Patch
Third Party Advisory
https://github.com/NodeBB/NodeBB/releases/tag/v1.18.5
Patch
Release Notes
Third Party Advisory
https://github.com/NodeBB/NodeBB/security/advisories/GHSA-wx69-rvg3-x7fc
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:nodebb:nodebb:*:*:*:*:*:*:*:*

Версия от 1.15.5 (включая) до 1.18.4 (включая)

EPSS

Процентиль: 61%

0.0041

Низкий

9 Critical

CVSS3

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-wx69-rvg3-x7fc

CVSS3: 9

github

около 4 лет назад

XSS via prototype pollution in NodeBB

EPSS

Процентиль: 61%

0.0041

Низкий

9 Critical

CVSS3

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79