PT-2020-14233 · Nodebb · Nodebb-Plugin-Blog-Comments

Psychobunny

Published

2020-08-26

Updated

2020-09-01

CVE-2020-15156

CVSS v3.1

6.8

Medium

Vector

AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions nodebb-plugin-blog-comments versions prior to 0.7.0

Description The issue is due to a lack of CSRF validation, making a logged-in user potentially vulnerable to an XSS attack. This could allow a third party to post on the user's behalf on the forum.

Recommendations For versions prior to 0.7.0, upgrade to the latest version v0.7.0. As a temporary workaround, you can cherry-pick the commit cf43beedb05131937ef46f365ab0a0c6fa6ac618 to mitigate the issue.

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2020-15156

GHSA-43M5-C88R-CJVV

Affected Products

Nodebb-Plugin-Blog-Comments

PT-2020-14233 · Nodebb · Nodebb-Plugin-Blog-Comments

CVE-2020-15156

Weakness Enumeration

Related Identifiers

Affected Products

References · 6