Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAG8UnYPgP+J9KvtXCEv+2JdRx5OTC0D=Ehg1VR6cy7nOre6G7w@mail.gmail.com>
Date: Fri, 10 Apr 2015 11:29:14 +1000
From: Shubham Shah <admin@...bh.am>
To: oss-security@...ts.openwall.com
Subject: CVE request - NodeBB Persistent XSS through Markdown

Hi,

Could I please get a CVE for a Persistent XSS flaw found in NodeBB versions
< 0.70. The Github repository for this project can be found here:
https://github.com/NodeBB/NodeBB.

The vulnerability allows for an attacker to insert malicious links within
forum posts and threads - that lead to the execution of attacker-defined
JavaScript on click. This vulnerability not only affects NodeBB but also
affects any project which uses the markdown-it project before 4.1.0.

The commits leading to the fix for this flaw can be found here:

NodeBB -
https://github.com/julianlam/nodebb-plugin-markdown/commit/ab7f2684750882f7baefbfa31db8d5aac71e6ec3

Markdown-it -
https://github.com/markdown-it/markdown-it/commit/f76d3beb46abd121892a2e2e5c78376354c214e3

If any more details are required, please let me know.

Thank you,
Shubham

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.