Cross site request forgery (csrf)

In nodebb-plugin-blog-comments before version 0.7.0, a logged in user is vulnerable to an XSS attack which could allow a third party to post on their behalf on the forum. This is due to lack of CSRF validation...

CVE-2020-15156

CVE-2020-15156 affects nodebb-plugin-blog-comments prior to version 0.7.0. The root cause is lack of CSRF validation, enabling an authenticated user to be exploited for cross-site scripting that could cause a third party to post on their behalf on the forum. The issue is documented across multipl...

XSS due to lack of CSRF validation for replying/publishing

Impact Due to lack of CSRF validation, a logged in user is potentially vulnerable to an XSS attack which could allow a third party to post on their behalf on the forum. Patches Upgrade to the latest version v0.7.0 Workarounds You can cherry-pick the following commit:...

Privilege Escalation

nodebb is vulnerable to privilege escalation. Lack of correct password validation logic allows an attacker to send a malicious socket.io call to update the password of any user on a running NodeBB forum to takeover the account...

CVE-2020-15149

NodeBB before version 1.14.3 has a bug introduced in version 1.12.2 in the validation logic that makes it possible to change the password of any user on a running NodeBB forum by sending a specially crafted socket.io call to the server. This could lead to a privilege escalation event due via an...

CVE-2020-15149

NodeBB before version 1.14.3 has a bug introduced in version 1.12.2 in the validation logic that makes it possible to change the password of any user on a running NodeBB forum by sending a specially crafted socket.io call to the server. This could lead to a privilege escalation event due via an...

Design/Logic Flaw

NodeBB before version 1.14.3 has a bug introduced in version 1.12.2 in the validation logic that makes it possible to change the password of any user on a running NodeBB forum by sending a specially crafted socket.io call to the server. This could lead to a privilege escalation event due via an...

NodeBB Elevation of Privilege Vulnerability

NodeBB is a forum system built using Node.js a web application platform built on top of Google's V8 JavaScript engine by the Design Create Play team. A security vulnerability exists in the authentication logic in NodeBB versions 1.12.2 and later fixed in version 1.14.3. An attacker can exploit th...

CVE-2020-15149 Account takeover in NodeBB

NodeBB before version 1.14.3 has a bug introduced in version 1.12.2 in the validation logic that makes it possible to change the password of any user on a running NodeBB forum by sending a specially crafted socket.io call to the server. This could lead to a privilege escalation event due via an...

CVE-2020-15149

NodeBB is affected by CVE-2020-15149 where a bug in the validation logic introduced in 1.12.2 allows changing the password of any user via a crafted socket.io call, enabling privilege escalation/account takeover on running forums. The vulnerability affects NodeBB versions up to 1.14.2 (vulnerable...

Information Disclosure

nodebb is vulnerable to information disclosure. The topics that have been deleted are hidden for moderators but not for an administrator...

Cross-Site Scripting (XSS)

nodebb is vulnerable to cross-site scripting XSS. A remote attacker is able to inject arbitrary Javascript into a victim's browser via the URL...

Cross-site Scripting (XSS)

nodebb is vulnerable to cross-site scripting XSS. The attack exists because it does not have basic protection from XSS and relies on the plugins to perform sanitization of all the parsed content, allowing an attacker to inject malicious script if any of the plugins get disabled...

Cross-Site Scripting (XSS)

nodeBB is vulnerable to cross-site scripting XSS. A remote attacker is able to inject arbitrary Javascript into a victim's browser via Controllers.outgoing in controllers/index.js...

Cross-site Scripting in NodeBB

Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS...

GHSA-72FV-QGJ6-2W2P Cross-site Scripting in NodeBB

Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS...

CVE-2015-9286

Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS...

Cross site scripting

Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS...

CVE-2015-9286

Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS...

CVE-2015-9286

NodeBB