4 matches found
NodeBB Cross-site scripting (XSS) vulnerability
A persistent cross-site scripting XSS vulnerability in NodeBB v3.11.0 allows remote attackers to store arbitrary code in the 'about me' section of their profile...
GHSA-QC99-R4WH-C8H6 Incorrect Access Control in NodeBB
In NodeBB prior to 3.6.7 an attacker was able to access the restricted tabs for the Admin group which are only allowed the the administrators...
CVE-2022-36076 Account takeover via SSO plugins in NodeBB
NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. Due to an unnecessarily strict conditional in the code handling the first step of the SSO process, the pre-existing logic that added and later checked a nonce was inadvertently rendered opt-i...
PT-2021-23932 · Nodebb · Nodebb
Name of the Vulnerable Software and Affected Versions: Nodebb versions prior to 1.18.5 Description: The issue is related to incorrect logic in the token verification step, which unintentionally allowed master token access to the API. Recommendations: For versions prior to 1.18.5, upgrade to versi...