Description
A persistent cross-site scripting (XSS) vulnerability in NodeBB v3.11.0 allows remote attackers to store arbitrary code in the 'about me' section of their profile.
References (3)
Core 3
Core References
Product
http://nodebb.com
Exploit, Third Party Advisory
https://www.tonysec.com/posts/cve-2024-57041/
Scores
CVSS v3
4.6
EPSS
0.0473
EPSS Percentile
89.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
nodebb/nodebb
3.11.0
npm/nodebb
0 - 3.11.1npm
Published
Jan 24, 2025
Tracked Since
Feb 18, 2026