PT-2022-27780 · Nodebb · Nodebb

Name of the Vulnerable Software and Affected Versions: NodeBB versions prior to 2.6.1 Description: The issue arises from a plain object with a prototype being used in socket.io message handling, allowing a specially crafted payload to impersonate other users and takeover accounts. Recommendations...

NodeBB < 2.5.8 CSRF Vulnerability

NodeBB is prone to a cross-site request forgery CSRF vulnerability. SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:nodebb:nodebb...

NodeBB vulnerable to Cross-Site Request Forgery

A vulnerability was found in NodeBB up to 2.5.7. This affects an unknown part of the file /register/abort. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to version 2.5.8 is able to address this issue. The name of the patch is...

GHSA-5GWX-WF9G-R5MX NodeBB vulnerable to Cross-Site Request Forgery

A vulnerability was found in NodeBB up to 2.5.7. This affects an unknown part of the file /register/abort. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to version 2.5.8 is able to address this issue. The name of the patch is...

CVE-2022-3978

A vulnerability, which was classified as problematic, was found in NodeBB up to 2.5.7. This affects an unknown part of the file /register/abort. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to version 2.5.8 is able to address this...

CVE-2022-3978

A vulnerability, which was classified as problematic, was found in NodeBB up to 2.5.7. This affects an unknown part of the file /register/abort. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to version 2.5.8 is able to address this...

Cross site request forgery (csrf)

A vulnerability, which was classified as problematic, was found in NodeBB up to 2.5.7. This affects an unknown part of the file /register/abort. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to version 2.5.8 is able to address this...

PT-2022-24994 · Nodebb · Nodebb

Name of the Vulnerable Software and Affected Versions: NodeBB versions up to 2.5.7 Description: A vulnerability was found in NodeBB, affecting an unknown part of the file /register/abort. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely...

CVE-2022-3978 NodeBB abort cross-site request forgery

A vulnerability, which was classified as problematic, was found in NodeBB up to 2.5.7. This affects an unknown part of the file /register/abort. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to version 2.5.8 is able to address this...

CVE-2022-3978

CVE-2022-3978 affects NodeBB up to version 2.5.7, with CSRF vulnerability in the /register/abort path that can be triggered remotely. The issue is resolved by upgrading to 2.5.8, with patch identifier 2f9d8c350e54543f608d3d4c8e1a49bbb6cdea38. Connected sources consistently describe a cross‑site r...

NodeBB 跨站请求伪造漏洞

NodeBB is a forum system from the Design Create Play team built using Node.js, a web application platform built on top of Google's V8 JavaScript engine. A security vulnerability exists in NodeBB 2.5.7 and earlier versions, which stems from an unknown part of the file /register/abort being affecte...

CVE-2022-3978 NodeBB abort cross-site request forgery

A vulnerability, which was classified as problematic, was found in NodeBB up to 2.5.7. This affects an unknown part of the file /register/abort. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to version 2.5.8 is able to address this...

GHSA-XMGG-FX9P-PRQ6 NodeBB account takeover via SSO plugins

This is a historical security advisory, pertaining to a vulnerability that was reported, patched, and published in 2021. It is listed here for completeness and for CVE tracking purposes. Impact Due to an unnecessarily strict conditional in the code handling the first step of the SSO process, the...

NodeBB account takeover via SSO plugins

This is a historical security advisory, pertaining to a vulnerability that was reported, patched, and published in 2021. It is listed here for completeness and for CVE tracking purposes. Impact Due to an unnecessarily strict conditional in the code handling the first step of the SSO process, the...

NodeBB < 1.19.8, 2.x < 2.0.1 Account Takeover Vulnerability

NodeBB is prone to an account takeover vulnerability via a cryptographically weak PRNG in SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

NodeBB 1.15.5 - 1.18.4 XSS Vulnerability

NodeBB is prone to a cross-site scripting XSS vulnerability. SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:nodebb:nodebb";...

NodeBB 1.15.x - 1.18.4 Improper Authentication Vulnerability

NodeBB is prone to an improper authentication vulnerability. SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:nodebb:nodebb";...

NodeBB < 1.17.2 Account Takeover Vulnerability

NodeBB is prone to an account takeover vulnerability via SSO plugins. SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

NodeBB 1.0.4 - 1.18.4 Path Traversal Vulnerability

NodeBB is prone to a path traversal vulnerability in the translator module. SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

CVE-2022-36076

NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. Due to an unnecessarily strict conditional in the code handling the first step of the SSO process, the pre-existing logic that added and later checked a nonce was inadvertently rendered opt-i...