CVE-2015-3296: NodeBB Cross-site Scripting Vulnerability in Markdown Processing
6.1
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.56336%
CWE
Published
5/17/2022
Updated
8/13/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
nodebb | npm | < 0.70 | 0.70 |
nodebb-plugin-markdown | npm | < 5.1.1 | 5.1.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from insufficient URL protocol validation in two key areas:
- In nodebb-plugin-markdown's pre-patch code, the absence of a custom validateLink function allowed dangerous protocols. The commit ab7f268 introduced protocol checks, confirming this was missing previously.
- The underlying markdown-it library (before f76d3be) had incomplete validation for data: URLs, as shown in its commit diff adding MIME-type restrictions. NodeBB's dependency on an unpatched markdown-it version propagated this flaw. Both functions directly control URL sanitization during Markdown-to-HTML conversion, making them root causes for the XSS vectors described.