CyberSec.Space Logo
返回 CVE 瀏覽器

CVE-2021-43787

CRITICAL
9.0
CVSS Severity Score
EPSS Score0.1700%
EPSS Percentile32.32th
Published2021年11月29日
Last Modified2024年11月21日

Vulnerability Description

Nodebb is an open source Node.js based forum software. In affected versions a prototype pollution vulnerability in the uploader module allowed a malicious user to inject arbitrary data (i.e. javascript) into the DOM, theoretically allowing for an account takeover when used in conjunction with a path traversal vulnerability disclosed at the same time as this report. The vulnerability has been patched as of v1.18.5. Users are advised to upgrade as soon as possible.

Affected Platforms (CPE)

📦
Nodebb

Nodebb

>= 1.15.5 and <= 1.18.4

References & Advisories

🔗 https://blog.sonarsource.com/nodebb-remote-code-execution-with-one-shot/
🔗 https://github.com/NodeBB/NodeBB/commit/1783f918bc19568f421473824461ff2ed7755e4c
🔗 https://github.com/NodeBB/NodeBB/releases/tag/v1.18.5
🔗 https://github.com/NodeBB/NodeBB/security/advisories/GHSA-wx69-rvg3-x7fc
🔗 https://blog.sonarsource.com/nodebb-remote-code-execution-with-one-shot/
🔗 https://github.com/NodeBB/NodeBB/commit/1783f918bc19568f421473824461ff2ed7755e4c
🔗 https://github.com/NodeBB/NodeBB/releases/tag/v1.18.5
🔗 https://github.com/NodeBB/NodeBB/security/advisories/GHSA-wx69-rvg3-x7fc

相關漏洞威脅

CVE-2020-151499.9

NodeBB before version 1.14.3 has a bug introduced in version 1.12.2 in the validation logic that makes it possible to change the p...

CVE-2021-437869.8

Nodebb is an open source Node.js based forum software. In affected versions incorrect logic present in the token verification step...

CVE-2021-477467.5

NodeBB Plugin Emoji 3.2.1 contains an arbitrary file write vulnerability that allows administrative users to write files to arbitr...

CVE-2020-151566.8

In nodebb-plugin-blog-comments before version 0.7.0, a logged in user is vulnerable to an XSS attack which could allow a third par...