CVE-2020-15156: Cross-Site Request Forgery (CSRF)

August 26, 2020 (updated September 1, 2020)

In the nodebb-plugin-blog-comments, a logged in user is vulnerable to an XSS attack which could allow a third party to post on their behalf on the forum. This is due to lack of CSRF validation.

References

nvd.nist.gov/vuln/detail/CVE-2020-15156

Detect and mitigate CVE-2020-15156 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →