Description

Nodebb is an open source Node.js based forum software. Prior to v1.18.5, a path traversal vulnerability was present that allowed users to access JSON files outside of the expected `languages/` directory. The vulnerability has been patched as of v1.18.5. Users are advised to upgrade as soon as possible.

Remediation

References

https://blog.sonarsource.com/nodebb-remote-code-execution-with-one-shot/

https://github.com/NodeBB/NodeBB/commit/c8b2fc46dc698db687379106b3f01c71b80f495f

https://github.com/NodeBB/NodeBB/releases/tag/v1.18.5

https://github.com/NodeBB/NodeBB/security/advisories/GHSA-pfj7-2qfw-vwgm

Related Vulnerabilities

CVE-2023-34455 Vulnerability in maven package org.xerial.snappy:snappy-java

CVE-2020-13949 Vulnerability in maven package org.apache.thrift:libthrift

CVE-2023-31582 Vulnerability in maven package org.bitbucket.b_c:jose4j

CVE-2023-31580 Vulnerability in maven package com.networknt:light-oauth2

CVE-2020-7742 Vulnerability in npm package simpl-schema

Severity

Medium

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Tags

Exploit Third Party Advisory Patch Release Notes NVD-CWE-noinfo