Primary

Context

NodeBB Persistent Cross-Site Scripting Vulnerability

Vulnerability

Patched

A persistent cross-site scripting vulnerability has been identified in NodeBB version 3.11.0. This vulnerability allows remote attackers to store arbitrary scripts in the 'about me' section of user profiles, which are executed when the profile is viewed by others.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the profile.

Reproduction

To reproduce this vulnerability, create a user account and navigate to the 'about me' section of the profile. Inject a script tag, such as one containing JavaScript code, into this section. Once the script is saved, log in as an administrator and access the 'Flagged Content' section in the admin tools. Click on the user who injected the script, and the stored script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users can update to NodeBB version 3.11.1, where this vulnerability has been fixed.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.7

exploitability

6.5

remediation

7.7

relevance

0.0

threat

6.5

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.7

exploitability

6.5

remediation

7.7

relevance

0.0

threat

6.5

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

NodeBB Persistent Cross-Site Scripting Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

NodeBB

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating