CVE-2023-26045

2023-07-2422:15:10

CWE-22

[email protected]

web.nvd.nist.gov

nodebb

forum software

cve-2023-26045

security vulnerability

patch

nvd

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

32.6%

JSON

NodeBB is Node.js based forum software. Starting in version 2.5.0 and prior to version 2.8.7, due to the use of the object destructuring assignment syntax in the user export code path, combined with a path traversal vulnerability, a specially crafted payload could invoke the user export logic to arbitrarily execute javascript files on the local disk. This issue is patched in version 2.8.7. As a workaround, site maintainers can cherry pick the fix into their codebase to patch the exploit.

Affected configurations

Vulners

NVD

Node

nodebbnodebbRange2.5.0–2.8.7

VendorProductVersionCPE
nodebbnodebb*cpe:2.3:a:nodebb:nodebb:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
nodebb	nodebb	*	cpe:2.3:a:nodebb:nodebb::::::::

CNA Affected

[
  {
    "vendor": "NodeBB",
    "product": "NodeBB",
    "versions": [
      {
        "version": ">= 2.5.0, < 2.8.7",
        "status": "affected"
      }
    ]
  }
]