Anthony Morell

**Name of the Vulnerable Software and Affected Versions** NodeBB versions prior to 4.0.5 **Description** A Cross-Site Scripting (XSS) issue allows remote attackers to store arbitrary code, potentially rendering the blacklist IP functionality unusable until the content is removed via the database. **Recommendations** For NodeBB versions prior to 4.0.5, update to version 4.0.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** NodeBB versions prior to 4.0.5 **Description** A Cross-Site Scripting (XSS) issue allows remote attackers to store arbitrary code in the admin API Access token generator. This could potentially lead to the execution of malicious code. **Recommendations** For NodeBB versions prior to 4.0.5, update to version 4.0.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the admin API Access token generator until a patch is applied. Avoid using the `admin API Access token generator` feature in affected versions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** NodeBB version 3.11.0 **Description** A persistent cross-site scripting (XSS) issue allows remote attackers to store arbitrary code in the 'about me' section of their profile. This enables attackers to execute malicious scripts on the website. **Recommendations** For NodeBB version 3.11.0, as a temporary workaround, consider disabling the 'about me' section of user profiles until a patch is available. Restrict access to this section to minimize the risk of exploitation. Avoid using the `about me` section in user profiles until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.