Moderate severityNVD Advisory· Published Jan 24, 2025· Updated Feb 6, 2025

CVE-2024-57041

Description

A persistent cross-site scripting (XSS) vulnerability in NodeBB v3.11.0 allows remote attackers to store arbitrary code in the 'about me' section of their profile.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in NodeBB v3.11.0 allows attackers to inject arbitrary JavaScript in the 'about me' profile field, executing when an admin views the user's flag.

CVE-2024-57041 is a stored cross-site scripting (XSS) vulnerability in NodeBB v3.11.0 affecting the 'about me' field in user profiles. The application fails to sanitize user input in this field, allowing attackers to store arbitrary HTML and JavaScript [3].

An attacker can inject a malicious script into the 'about me' section of their profile. When an administrator views the flagged content report for that user (e.g., via the Moderator Tools), the script executes in the context of the admin session [3].

Successful exploitation allows the attacker to perform actions as the administrator, including stealing session cookies, modifying site content, or accessing sensitive data. The attack requires no special privileges beyond a registered user account [3].

NodeBB addressed the vulnerability in commit 4e69bff by escaping the 'aboutme' field using the validator.escape function from the npm validator package, ensuring that HTML entities are encoded [4]. Users should update to a patched version or apply the commit manually.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
nodebbnpm	< 3.11.1	3.11.1

Affected products

NodeBB/NodeBBdescription
NodeBB/Nodebbllm-fuzzy
Range: = 3.11.0
ghsa-coords
pkg:npm/nodebb
Range: < 3.11.1

Patches

4e69bff72fd0

fix: escape about me on user flags

https://github.com/NodeBB/NodeBBBarış Soner UşaklıDec 6, 2024via ghsa

commit

2 files changed · +2 −1

src/flags.js+1 −0 modified

@@ -663,6 +663,7 @@ Flags.canFlag = async function (type, id, uid, skipLimitCheck = false) {
 Flags.getTarget = async function (type, id, uid) {
 	if (type === 'user') {
 		const userData = await user.getUserData(id);
+		userData.aboutme = validator.escape(String(userData.aboutme));
 		return userData && userData.uid ? userData : {};
 	}
 	if (type === 'post') {

src/views/flags/detail.tpl+1 −1 modified

@@ -123,7 +123,7 @@
 				{{{ end }}}
 
 				{{{ if type_bool.user }}}
-				<div class="d-flex gap-2">
+				<div class="d-flex gap-2 align-items-center lh-1 mb-2">
 					<a href="{config.relative_path}/user/{./target.userslug}">{buildAvatar(target, "16px", true)}</a>
 					<a href="{config.relative_path}/user/{./target.userslug}">{target.username}</a>
 				</div>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-vqr3-vrrg-f3jhghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-57041ghsaADVISORY
github.com/NodeBB/NodeBB/commit/4e69bff72fd04779064d37e46a43080e6c328adfghsaWEB
www.tonysec.com/posts/cve-2024-57041ghsaWEB
nodebb.commitre
www.tonysec.com/posts/cve-2024-57041/mitre

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.006
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000