Description

Nodebb is an open source Node.js based forum software. In affected versions incorrect logic present in the token verification step unintentionally allowed master token access to the API. The vulnerability has been patch as of v1.18.5. Users are advised to upgrade as soon as possible.

Remediation

References

https://github.com/NodeBB/NodeBB/security/advisories/GHSA-hf2m-j98r-4fqw

https://github.com/NodeBB/NodeBB/releases/tag/v1.18.5

https://github.com/NodeBB/NodeBB/commit/04dab1d550cdebf4c1567bca9a51f8b9ca48a500

https://blog.sonarsource.com/nodebb-remote-code-execution-with-one-shot/

Related Vulnerabilities

CVE-2019-1003069 Vulnerability in maven package org.jenkins-ci.plugins:aqua-security-scanner

CVE-2020-17530 Vulnerability in maven package org.apache.struts:struts2-core

CVE-2020-15242 Vulnerability in npm package next

CVE-2018-18853 Vulnerability in maven package io.spray:spray-json_2.10

CVE-2020-10693 Vulnerability in maven package org.hibernate.validator:hibernate-validator

Severity

High

Classification

CWE-287 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Third Party Advisory Release Notes Patch Exploit