NodeBB is an open source Node.js based forum software. Due to a plain object with a prototype being used in socket.io message handling a specially crafted payload can be used to impersonate other users and takeover accounts. This vulnerability has been patched in version 2.6.1. Users are advised to upgrade. Users unable to upgrade may cherry-pick commit `48d143921753914da45926cca6370a92ed0c46b8` into their codebase to patch the exploit.
References
Link | Resource |
---|---|
https://github.com/NodeBB/NodeBB/commit/48d143921753914da45926cca6370a92ed0c46b8 | Patch Third Party Advisory |
https://github.com/NodeBB/NodeBB/security/advisories/GHSA-rf3g-v8p5-p675 | Patch Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2022-12-05T20:52:19.695Z
Updated:
Reserved: 2022-11-28T17:27:19.997Z
Link: CVE-2022-46164
JSON object: View
NVD Information
Status : Modified
Published: 2022-12-05T21:15:10.443
Modified: 2023-11-07T03:55:03.443
Link: CVE-2022-46164
JSON object: View
Redhat Information
No data.
CWE