oss-sec mailing list archives
CVE request - NodeBB Persistent XSS through Markdown
From: Shubham Shah <admin () shubh am>
Date: Fri, 10 Apr 2015 11:29:14 +1000
Hi, Could I please get a CVE for a Persistent XSS flaw found in NodeBB versions < 0.70. The Github repository for this project can be found here: https://github.com/NodeBB/NodeBB. The vulnerability allows for an attacker to insert malicious links within forum posts and threads - that lead to the execution of attacker-defined JavaScript on click. This vulnerability not only affects NodeBB but also affects any project which uses the markdown-it project before 4.1.0. The commits leading to the fix for this flaw can be found here: NodeBB - https://github.com/julianlam/nodebb-plugin-markdown/commit/ab7f2684750882f7baefbfa31db8d5aac71e6ec3 Markdown-it - https://github.com/markdown-it/markdown-it/commit/f76d3beb46abd121892a2e2e5c78376354c214e3 If any more details are required, please let me know. Thank you, Shubham
Current thread:
- CVE request - NodeBB Persistent XSS through Markdown Shubham Shah (Apr 09)
- Re: CVE request - NodeBB Persistent XSS through Markdown cve-assign (Apr 10)