CVE-2021-43787

MEDIUM
Published Nov 29, 20214y ago · Modified Jun 17, 20262w ago
6.1 CVSS 3.1
Medium
Find Similar
Published Nov 29, 2021 4y ago
Last Modified Jun 17, 2026 2w ago

Description

Nodebb is an open source Node.js based forum software. In affected versions a prototype pollution vulnerability in the uploader module allowed a malicious user to inject arbitrary data (i.e. javascript) into the DOM, theoretically allowing for an account takeover when used in conjunction with a path traversal vulnerability disclosed at the same time as this report. The vulnerability has been patched as of v1.18.5. Users are advised to upgrade as soon as possible.

CVSS Details

Base Score
6.1
Exploitability
2.8
Impact
2.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-1321
CWE-79 Cross-site Scripting Injection

Affected Products 1

VendorProductVersionRange
nodebbnodebb*≥1.15.5  –  ≤1.18.4

References 4

  • blog.sonarsource.com https://blog.sonarsource.com/nodebb-remote-code-execution-with-one-shot/
    ExploitThird Party Advisory
  • github.com https://github.com/NodeBB/NodeBB/commit/1783f918bc19568f421473824461ff2ed7755e4c
    PatchThird Party Advisory
  • github.com https://github.com/NodeBB/NodeBB/releases/tag/v1.18.5
    PatchRelease NotesThird Party Advisory
  • github.com https://github.com/NodeBB/NodeBB/security/advisories/GHSA-wx69-rvg3-x7fc
    PatchThird Party Advisory

Remediation

  • github.com https://github.com/NodeBB/NodeBB/commit/1783f918bc19568f421473824461ff2ed7755e4c
    PatchThird Party Advisory
  • github.com https://github.com/NodeBB/NodeBB/releases/tag/v1.18.5
    PatchRelease NotesThird Party Advisory
  • github.com https://github.com/NodeBB/NodeBB/security/advisories/GHSA-wx69-rvg3-x7fc
    PatchThird Party Advisory