Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 10 Apr 2015 11:29:14 +1000
From: Shubham Shah <admin@...bh.am>
To: oss-security@...ts.openwall.com
Subject: CVE request - NodeBB Persistent XSS through Markdown

Hi,

Could I please get a CVE for a Persistent XSS flaw found in NodeBB versions
< 0.70. The Github repository for this project can be found here:
https://github.com/NodeBB/NodeBB.

The vulnerability allows for an attacker to insert malicious links within
forum posts and threads - that lead to the execution of attacker-defined
JavaScript on click. This vulnerability not only affects NodeBB but also
affects any project which uses the markdown-it project before 4.1.0.

The commits leading to the fix for this flaw can be found here:

NodeBB -
https://github.com/julianlam/nodebb-plugin-markdown/commit/ab7f2684750882f7baefbfa31db8d5aac71e6ec3

Markdown-it -
https://github.com/markdown-it/markdown-it/commit/f76d3beb46abd121892a2e2e5c78376354c214e3

If any more details are required, please let me know.

Thank you,
Shubham

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ