Miggo Logo

CVE-2015-3296: NodeBB Cross-site Scripting Vulnerability in Markdown Processing

6.1

CVSS Score
3.0

Basic Information

EPSS Score
0.56336%
Published
5/17/2022
Updated
8/13/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
nodebbnpm< 0.700.70
nodebb-plugin-markdownnpm< 5.1.15.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insufficient URL protocol validation in two key areas:

  1. In nodebb-plugin-markdown's pre-patch code, the absence of a custom validateLink function allowed dangerous protocols. The commit ab7f268 introduced protocol checks, confirming this was missing previously.
  2. The underlying markdown-it library (before f76d3be) had incomplete validation for data: URLs, as shown in its commit diff adding MIME-type restrictions. NodeBB's dependency on an unpatched markdown-it version propagated this flaw. Both functions directly control URL sanitization during Markdown-to-HTML conversion, making them root causes for the XSS vectors described.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Multipl* *ross-sit* s*riptin* (XSS) vuln*r**iliti*s in No**** ***or* *.* *llow r*mot* *tt**k*rs to inj**t *r*itr*ry w** s*ript or *TML vi* v**tors r*l*t** to (*) j*v*s*ript: or (*) **t*: URLs.

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt URL proto*ol v*li**tion in two k*y *r**s: *. In no****-plu*in-m*rk*own's pr*-p*t** *o**, t** **s*n** o* * *ustom v*li**t*Link *un*tion *llow** **n**rous proto*ols. T** *ommit ******* intro*u*** proto*ol ****k