RSS   Vulnerabilities for 'Nodebb'   RSS

2021-11-29
 
CVE-2021-43786

CWE-287
 

 
Nodebb is an open source Node.js based forum software. In affected versions incorrect logic present in the token verification step unintentionally allowed master token access to the API. The vulnerability has been patch as of v1.18.5. Users are advised to upgrade as soon as possible.

 
 
CVE-2021-43787

CWE-79
 

 
Nodebb is an open source Node.js based forum software. In affected versions a prototype pollution vulnerability in the uploader module allowed a malicious user to inject arbitrary data (i.e. javascript) into the DOM, theoretically allowing for an account takeover when used in conjunction with a path traversal vulnerability disclosed at the same time as this report. The vulnerability has been patched as of v1.18.5. Users are advised to upgrade as soon as possible.

 
 
CVE-2021-43788

CWE-22
 

 
Nodebb is an open source Node.js based forum software. Prior to v1.18.5, a path traversal vulnerability was present that allowed users to access JSON files outside of the expected `languages/` directory. The vulnerability has been patched as of v1.18.5. Users are advised to upgrade as soon as possible.

 
2020-08-20
 
CVE-2020-15149

CWE-269
 

 
NodeBB before version 1.14.3 has a bug introduced in version 1.12.2 in the validation logic that makes it possible to change the password of any user on a running NodeBB forum by sending a specially crafted socket.io call to the server. This could lead to a privilege escalation event due via an account takeover. As a workaround you may cherry-pick the following commit from the project's repository to your running instance of NodeBB: 16cee1b03ba3eee177834a1fdac4aa8a12b39d2a. This is fixed in version 1.14.3.

 
2019-04-30
 
CVE-2015-9286

CWE-79
 

 
Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.

 
2017-09-21
 
CVE-2015-3296

 

 
Multiple cross-site scripting (XSS) vulnerabilities in NodeBB before 0.7 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) javascript: or (2) data: URLs.

 

 >>> Vendor: Nodebb 2 Products
Nodebb
Blog comments


Copyright 2024, cxsecurity.com

 

Back to Top