Description

Nodebb is an open source Node.js based forum software. Prior to v1.18.5, a path traversal vulnerability was present that allowed users to access JSON files outside of the expected `languages/` directory. The vulnerability has been patched as of v1.18.5. Users are advised to upgrade as soon as possible.

Remediation

References

https://github.com/NodeBB/NodeBB/releases/tag/v1.18.5

https://github.com/NodeBB/NodeBB/security/advisories/GHSA-pfj7-2qfw-vwgm

https://github.com/NodeBB/NodeBB/commit/c8b2fc46dc698db687379106b3f01c71b80f495f

https://blog.sonarsource.com/nodebb-remote-code-execution-with-one-shot/

Related Vulnerabilities

CVE-2020-35728 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2020-10758 Vulnerability in maven package org.keycloak:keycloak-wildfly-server-subsystem

CVE-2018-16475 Vulnerability in npm package knightjs

CVE-2018-20190 Vulnerability in maven package org.webjars.npm:node-sass

CVE-2018-11696 Vulnerability in maven package org.webjars.npm:node-sass

Severity

Medium

Classification

CWE-22 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Tags

Release Notes Third Party Advisory Patch Exploit