NodeBB Cross-Site Scripting Vulnerability in Admin API Token Generator

A stored cross-site scripting vulnerability has been identified in NodeBB versions through 4.0.4. This issue allows remote attackers to inject arbitrary JavaScript into the admin API Access token generator. The vulnerability arises because the server-side validation of the User ID input is inadequate, enabling the injection of malicious scripts that are executed whenever the API tokens page is accessed by an admin.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the admin user.

Reproduction

To reproduce this vulnerability, log in as an administrator and navigate to the '/admin/settings/api' endpoint. Click 'Create Token' in the API Access section and enter a valid User ID, such as '0'. After the token is created, use a web proxy or cURL to submit a crafted User ID, such as '-0' or other malformed numeric strings. The application will accept these inputs despite frontend validation. Once the injected User ID is processed, it can be exploited by injecting a script tag, such as '<script>alert("NodeBB Hacked!")</script>', which will be executed when the API tokens page is accessed.

Remediation

Users can update to NodeBB version 4.0.5 or later, where this vulnerability has been fixed.