CVE-2021-43787: 
JavaScript vulnerability analysis and mitigation

CVE-2021-43787 is a prototype pollution vulnerability discovered in NodeBB, an open-source Node.js based forum software. The vulnerability was found in versions 1.15.5 through 1.18.4 and was disclosed on November 27, 2021. The issue existed in the uploader module, which allowed malicious users to inject arbitrary data into the DOM (GitHub Advisory, NVD).

The vulnerability stems from a prototype pollution issue in the uploader module that could be exploited to inject arbitrary JavaScript into the DOM. When combined with a path traversal vulnerability, this could lead to account takeover. The vulnerability received a CVSS v3.1 base score of 9.0 CRITICAL from GitHub, while NVD assigned it a score of 6.1 MEDIUM. The issue was classified under CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes) and CWE-79 (Cross-site Scripting) (Sonar Blog, NVD).

The vulnerability could allow attackers to perform Cross-Site Scripting (XSS) attacks that could spread from user to user. An attacker could create a payload that infects each user account that visits the attacker's profile, potentially leading to the takeover of the entire NodeBB instance when an admin account becomes infected (Sonar Blog).

The vulnerability was patched in NodeBB version 1.18.5, released on October 27, 2021. Users are advised to upgrade to this version as soon as possible. As a workaround, users can cherry-pick commit hash 1783f91 to receive the patch without performing a full upgrade (GitHub Advisory, GitHub Release).

The NodeBB team responded quickly to the vulnerability report, implementing and releasing patches promptly. The vulnerability was discovered by Paul Gerste from SonarSource, and NodeBB awarded a bounty of $1,536 for the findings (Sonar Blog).