CVE-2021-43787, GHSA-wx69-rvg3-x7fc
npm/nodebb
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A prototype pollution vulnerability in the uploader module allowed a malicious user to inject arbitrary data (i.e. javascript) into the DOM, theoretically allowing for an account takeover when used in conjunction with a path traversal vulnerability disclosed at the same time as this report.
All versions starting from 1.15.5 up to 1.18.4
Upgrade to version 1.18.5 or above.
2021-12-01
source |