NodeBB is an open source Node.js based forum software. Due to a plain object with a prototype being used in socket.io message handling a specially crafted payload can be used to impersonate other users and takeover accounts. This vulnerability has been patched in version 2.6.1. Users are advised to upgrade. Users unable to upgrade may cherry-pick commit `48d143921753914da45926cca6370a92ed0c46b8` into their codebase to patch the exploit.
References
Link | Resource |
---|---|
https://github.com/NodeBB/NodeBB/commit/48d143921753914da45926cca6370a92ed0c46b8 | Patch Third Party Advisory |
https://github.com/NodeBB/NodeBB/security/advisories/GHSA-rf3g-v8p5-p675 | Patch Third Party Advisory |
Configurations
History
07 Nov 2023, 03:55
Type | Values Removed | Values Added |
---|---|---|
Summary | NodeBB is an open source Node.js based forum software. Due to a plain object with a prototype being used in socket.io message handling a specially crafted payload can be used to impersonate other users and takeover accounts. This vulnerability has been patched in version 2.6.1. Users are advised to upgrade. Users unable to upgrade may cherry-pick commit `48d143921753914da45926cca6370a92ed0c46b8` into their codebase to patch the exploit. |
07 Dec 2022, 04:49
Type | Values Removed | Values Added |
---|---|---|
First Time |
Nodebb nodebb
Nodebb |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
CPE | cpe:2.3:a:nodebb:nodebb:*:*:*:*:*:*:*:* | |
References | (MISC) https://github.com/NodeBB/NodeBB/commit/48d143921753914da45926cca6370a92ed0c46b8 - Patch, Third Party Advisory | |
References | (MISC) https://github.com/NodeBB/NodeBB/security/advisories/GHSA-rf3g-v8p5-p675 - Patch, Third Party Advisory |
05 Dec 2022, 23:40
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-12-05 21:15
Updated : 2023-12-10 14:48
NVD link : CVE-2022-46164
Mitre link : CVE-2022-46164
CVE.ORG link : CVE-2022-46164
JSON object : View
Products Affected
nodebb
- nodebb
CWE
CWE-665
Improper Initialization