CVE-2024-57041
Published: 24 January 2025
Summary
CVE-2024-57041 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Nodebb Nodebb. Its CVSS base score is 4.6 (Medium).
Operationally, ranked in the top 8.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A persistent cross-site scripting vulnerability tracked as CVE-2024-57041 affects NodeBB version 3.11.0 and stems from improper handling of user-supplied content in the profile's "about me" section. The flaw is classified under CWE-79 and carries a CVSS 3.1 score of 4.6, reflecting network attack vector, low attack complexity, and low-privileged access requirements.
An authenticated attacker can inject and persistently store arbitrary JavaScript in their own profile field; when another user views the profile, the script executes in the victim's browser context, enabling limited theft of information or actions on the attacker's behalf. Exploitation requires the victim to interact with the malicious profile and does not impact availability.
A fix is available in the NodeBB repository via commit 4e69bff72fd04779064d37e46a43080e6c328adf, which addresses input sanitization for the affected profile component. The associated EPSS score remains flat at 0.0712 with no observed rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53506
Vulnerability details
A persistent cross-site scripting (XSS) vulnerability in NodeBB v3.11.0 allows remote attackers to store arbitrary code in the 'about me' section of their profile.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.