NodeBB Stored Cross-Site Scripting Vulnerability in IP Blacklist Functionality

A stored cross-site scripting vulnerability has been identified in NodeBB versions through 4.0.4. This issue allows remote attackers to inject arbitrary code that is executed when the IP blacklist administration panel is accessed. The vulnerability arises because the 'rules' textarea input is not properly sanitized, enabling moderators to execute malicious JavaScript in the context of other privileged users. This could lead to session hijacking, unauthorized administrative actions, or defacement. The injected scripts persist across sessions, and there is no mechanism to remove them from the user interface, potentially causing a denial of access to the page.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of other privileged users, which could result in session hijacking, unauthorized administrative actions, or defacement.

Reproduction

To reproduce this vulnerability, create a normal user and promote it to moderator. Then, navigate to the IP blacklist panel and enter a script payload into the 'rules' textarea. After applying the blacklist, the injected script will execute, demonstrating the cross-site scripting vulnerability. The injected script can persist and cause functionality issues by denying access to the page.

Remediation

The vulnerability has been addressed in NodeBB by sanitizing user input with the 'validator.escape()' function to neutralize HTML special characters. Users should update to the latest version of NodeBB to mitigate this vulnerability.