{ "affected": [ { "database_specific": { "unresolved_ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "0.7.0" } ] }, { "events": [ { "introduced": "0" }, { "fixed": "0.7.0" } ] } ] }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "cf43beedb05131937ef46f365ab0a0c6fa6ac618" } ], "repo": "https://github.com/psychobunny/nodebb-plugin-blog-comments", "type": "GIT" }, { "events": [ { "introduced": "0" }, { "fixed": "cf43beedb05131937ef46f365ab0a0c6fa6ac618" } ], "repo": "https://github.com/psychobunny/nodebb-plugin-blog-comments", "type": "GIT" } ] } ], "details": "In nodebb-plugin-blog-comments before version 0.7.0, a logged in user is vulnerable to an XSS attack which could allow a third party to post on their behalf on the forum. This is due to lack of CSRF validation.", "id": "CVE-2020-15156", "modified": "2026-03-13T21:48:39.205597703Z", "published": "2020-08-26T19:15:14.377Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/psychobunny/nodebb-plugin-blog-comments/security/advisories/GHSA-43m5-c88r-cjvv" }, { "type": "ADVISORY", "url": "https://www.npmjs.com/package/nodebb-plugin-blog-comments" }, { "type": "FIX", "url": "https://github.com/psychobunny/nodebb-plugin-blog-comments/commit/cf43beedb05131937ef46f365ab0a0c6fa6ac618" } ], "related": [ "GHSA-43m5-c88r-cjvv" ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "type": "CVSS_V3" } ] }