CVE-2021-43787

Description

### Impact A prototype pollution vulnerability in the uploader module allowed a malicious user to inject arbitrary data (i.e. javascript) into the DOM, theoretically allowing for an account takeover when used in conjunction with a path traversal vulnerability disclosed at the same time as this report. ### Patches The vulnerability has been patched as of v1.18.5. ### Workarounds Cherry-pick commit hash 1783f918bc19568f421473824461ff2ed7755e4c to receive this patch in lieu of a full upgrade. ### For more information If you have any questions or comments about this advisory: * Email us at [security@nodebb.org](mailto:security@nodebb.org)

How to fix CVE-2021-43787

To remediate CVE-2021-43787, upgrade the affected package to a fixed version below.

• —upgrade to 1.18.5 or later

Is CVE-2021-43787 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 1.15.0, < 1.18.5

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-43787
• PATCHgithub.com/NodeBB/NodeBB
• WEBblog.sonarsource.com/nodebb-remote-code-execution-with-one-shot
• WEBgithub.com/NodeBB/NodeBB/commit/1783f918bc19568f421473824461ff2ed7755e4c