CVE-2023-2850 - OpenCVE

NodeBB is affected by a Cross-Site WebSocket Hijacking vulnerability due to missing validation of the request origin. Exploitation of this vulnerability allows certain user information to be extracted by attacker.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Nodebb	Nodebb

Configuration 1 [-]

OR	cpe:2.3:a:nodebb:nodebb::::::::
	cpe:2.3:a:nodebb:nodebb::::::::

References

Link	Resource
https://github.com/NodeBB/NodeBB/commit/51096ad2345fb1d1380bec0a447113489ef6c359	Patch
https://github.com/NodeBB/NodeBB/releases/tag/v3.1.3	Release Notes
https://github.com/NodeBB/NodeBB/security/advisories/GHSA-4qcv-qf38-5j3j	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: snyk

Published: 2023-07-25T11:13:18.100Z

Updated: 2023-07-25T13:42:38.643Z

Reserved: 2023-05-23T11:27:01.949Z

Link: CVE-2023-2850

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-07-25T12:15:10.837

Modified: 2023-08-07T16:58:57.517

Link: CVE-2023-2850

JSON object: View

Redhat Information

No data.

CWE

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nodebb:nodebb:*:*:*:*:*:*:*:*", "matchCriteriaId": "8F25C5F7-B985-40D3-AD78-46E8264A4D7A", "versionEndExcluding": "2.8.13", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodebb:nodebb:*:*:*:*:*:*:*:*", "matchCriteriaId": "2E60CBF3-000A-4CFE-AB1F-F1CC25A650DB", "versionEndExcluding": "3.1.3", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "NodeBB is affected by a Cross-Site WebSocket Hijacking vulnerability due to missing validation of the request origin. Exploitation of this vulnerability allows certain user information to be extracted by attacker."}], "id": "CVE-2023-2850", "lastModified": "2023-08-07T16:58:57.517", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2023-07-25T12:15:10.837", "references": [{"source": "report@snyk.io", "tags": ["Patch"], "url": "https://github.com/NodeBB/NodeBB/commit/51096ad2345fb1d1380bec0a447113489ef6c359"}, {"source": "report@snyk.io", "tags": ["Release Notes"], "url": "https://github.com/NodeBB/NodeBB/releases/tag/v3.1.3"}, {"source": "report@snyk.io", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/NodeBB/NodeBB/security/advisories/GHSA-4qcv-qf38-5j3j"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-346"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-1385"}], "source": "report@snyk.io", "type": "Secondary"}]}