CyberSec.Space Logo
Back to CVE Browser

CVE-2021-43787

CRITICAL
9.0
CVSS Severity Score
EPSS Score0.1700%
EPSS Percentile32.32th
PublishedNov 29, 2021
Last ModifiedNov 21, 2024

Vulnerability Description

Nodebb is an open source Node.js based forum software. In affected versions a prototype pollution vulnerability in the uploader module allowed a malicious user to inject arbitrary data (i.e. javascript) into the DOM, theoretically allowing for an account takeover when used in conjunction with a path traversal vulnerability disclosed at the same time as this report. The vulnerability has been patched as of v1.18.5. Users are advised to upgrade as soon as possible.

Affected Platforms (CPE)

πŸ“¦
Nodebb

Nodebb

>= 1.15.5 and <= 1.18.4

References & Advisories

πŸ”— https://blog.sonarsource.com/nodebb-remote-code-execution-with-one-shot/
πŸ”— https://github.com/NodeBB/NodeBB/commit/1783f918bc19568f421473824461ff2ed7755e4c
πŸ”— https://github.com/NodeBB/NodeBB/releases/tag/v1.18.5
πŸ”— https://github.com/NodeBB/NodeBB/security/advisories/GHSA-wx69-rvg3-x7fc
πŸ”— https://blog.sonarsource.com/nodebb-remote-code-execution-with-one-shot/
πŸ”— https://github.com/NodeBB/NodeBB/commit/1783f918bc19568f421473824461ff2ed7755e4c
πŸ”— https://github.com/NodeBB/NodeBB/releases/tag/v1.18.5
πŸ”— https://github.com/NodeBB/NodeBB/security/advisories/GHSA-wx69-rvg3-x7fc

Related Vulnerabilities

CVE-2020-151499.9

NodeBB before version 1.14.3 has a bug introduced in version 1.12.2 in the validation logic that makes it possible to change the p...

CVE-2021-437869.8

Nodebb is an open source Node.js based forum software. In affected versions incorrect logic present in the token verification step...

CVE-2021-477467.5

NodeBB Plugin Emoji 3.2.1 contains an arbitrary file write vulnerability that allows administrative users to write files to arbitr...

CVE-2020-151566.8

In nodebb-plugin-blog-comments before version 0.7.0, a logged in user is vulnerable to an XSS attack which could allow a third par...