CVE-2015-9286

Vulnerability

Description

The outgoing controller in NodeBB versions prior to 0.7.3 contains a non-persistent cross-site scripting (XSS) vulnerability. Specifically, the Controllers.outgoing function in controllers/index.js does not properly sanitize URL values before processing them, allowing injection of malicious script code [1][2].

Exploitation

The vulnerability can be exploited by tricking a user into clicking a specially crafted link. An attacker can inject arbitrary JavaScript into the outgoing module's response, which executes in the context of the user's session. No authentication is required to deliver the malicious link, but user interaction is necessary [2].

Impact

Successful exploitation could allow an attacker to perform actions on behalf of the victim, including stealing session cookies, defacing the forum, or redirecting users to malicious sites. The CVSS score is 3.4, indicating low severity due to the requirement for user interaction [2].

Mitigation

The vulnerability was addressed in NodeBB version 0.7.3 through commit 4de7529 [1][4]. Users should upgrade to this version or later to protect against exploitation.