Moderate severityNVD Advisory· Published Aug 26, 2020· Updated Aug 4, 2024
XSS due to lack of CSRF validation for replying/publishing
CVE-2020-15156
Description
In nodebb-plugin-blog-comments before version 0.7.0, a logged in user is vulnerable to an XSS attack which could allow a third party to post on their behalf on the forum. This is due to lack of CSRF validation.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nodebb-plugin-blog-commentsnpm | < 0.7.0 | 0.7.0 |
Affected products
1- Range: < 0.7.0
Patches
1cf43beedb051fix: CSRF issues
1 file changed · +2 −2
library.js+2 −2 modified@@ -248,8 +248,8 @@ }); app.get('/comments/get/:id/:pagination?', middleware.applyCSRF, Comments.getCommentData); - app.post('/comments/reply', Comments.replyToComment); - app.post('/comments/publish', Comments.publishArticle); + app.post('/comments/reply', middleware.applyCSRF, Comments.replyToComment); + app.post('/comments/publish', middleware.applyCSRF, Comments.publishArticle); app.get('/admin/blog-comments', middleware.admin.buildHeader, renderAdmin); app.get('/api/admin/blog-comments', renderAdmin);
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-43m5-c88r-cjvvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-15156ghsaADVISORY
- github.com/psychobunny/nodebb-plugin-blog-comments/commit/cf43beedb05131937ef46f365ab0a0c6fa6ac618ghsax_refsource_MISCWEB
- github.com/psychobunny/nodebb-plugin-blog-comments/security/advisories/GHSA-43m5-c88r-cjvvghsax_refsource_CONFIRMWEB
- www.npmjs.com/package/nodebb-plugin-blog-commentsghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.