Nodebb · Nodebb-Plugin-Blog-Comments · CVE-2020-15156
**Name of the Vulnerable Software and Affected Versions**
nodebb-plugin-blog-comments versions prior to 0.7.0
**Description**
The issue is due to a lack of CSRF validation, making a logged-in user potentially vulnerable to an XSS attack. This could allow a third party to post on the user's behalf on the forum.
**Recommendations**
For versions prior to 0.7.0, upgrade to the latest version v0.7.0.
As a temporary workaround, you can cherry-pick the commit cf43beedb05131937ef46f365ab0a0c6fa6ac618 to mitigate the issue.