CVE-2015-3296 — NodeBB Cross-site Scripting Vulnerability in Markdown Processing

Description

Multiple cross-site scripting (XSS) vulnerabilities in NodeBB before 0.7 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) javascript: or (2) data: URLs.

How to fix CVE-2015-3296

To remediate CVE-2015-3296, upgrade the affected package to a fixed version below.

npm/nodebb—upgrade to 0.70 or later
—upgrade to 5.1.1 or later

Is CVE-2015-3296 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 0.70
from 0, < 5.1.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-3296
WEBgithub.com/markdown-it/markdown-it/commit/f76d3beb46abd121892a2e2e5c78376354c214e3
WEBgithub.com/NodeBB/NodeBB/issues/2273
WEBgithub.com/NodeBB/nodebb-plugin-markdown/commit/ab7f2684750882f7baefbfa31db8d5aac71e6ec3