Critical severity vulnerability was found in npm nodebb (npm) .

Impact

A prototype pollution vulnerability in the uploader module allowed a malicious user to inject arbitrary data (i.e. javascript) into the DOM, theoretically allowing for an account takeover when used in conjunction with a path traversal vulnerability disclosed at the same time as this report.

Patches

The vulnerability has been patched as of v1.18.5.

Workarounds

Cherry-pick commit hash 1783f918bc19568f421473824461ff2ed7755e4c to receive this patch in lieu of a full upgrade.

References


Courtesy:https://github.com/advisories/GHSA-wx69-rvg3-x7fc

By admin

Leave a Reply

Your email address will not be published. Required fields are marked *