CVE-2022-46164

2022-12-0521:15:10

CWE-665

[email protected]

web.nvd.nist.gov

nodebb

forum software

node.js

cve-2022-46164

security vulnerability

account takeover

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.2 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

57.4%

JSON

NodeBB is an open source Node.js based forum software. Due to a plain object with a prototype being used in socket.io message handling a specially crafted payload can be used to impersonate other users and takeover accounts. This vulnerability has been patched in version 2.6.1. Users are advised to upgrade. Users unable to upgrade may cherry-pick commit 48d143921753914da45926cca6370a92ed0c46b8 into their codebase to patch the exploit.

Affected configurations

Vulners

NVD

Node

nodebbnodebbRange<2.6.1

VendorProductVersionCPE
nodebbnodebb*cpe:2.3:a:nodebb:nodebb:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
nodebb	nodebb	*	cpe:2.3:a:nodebb:nodebb::::::::

CNA Affected

[
  {
    "vendor": "NodeBB",
    "product": "NodeBB",
    "versions": [
      {
        "version": "< 2.6.1",
        "status": "affected"
      }
    ]
  }
]