357 matches found
Code injection
NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. Due to an unnecessarily strict conditional in the code handling the first step of the SSO process, the pre-existing logic that added and later checked a nonce was inadvertently rendered opt-i...
CVE-2022-36076 Account takeover via SSO plugins in NodeBB
NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. Due to an unnecessarily strict conditional in the code handling the first step of the SSO process, the pre-existing logic that added and later checked a nonce was inadvertently rendered opt-i...
CVE-2022-36076 Account takeover via SSO plugins in NodeBB
NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. Due to an unnecessarily strict conditional in the code handling the first step of the SSO process, the pre-existing logic that added and later checked a nonce was inadvertently rendered opt-i...
CVE-2022-36076
CVE-2022-36076 affects NodeBB Forum Software (Node.js) leveraging Redis/MongoDB/PostgreSQL. The root cause is an overly strict conditional in the SSO first-step handling, which rendered the nonce logic opt-in instead of opt-out, re-exposing vulnerability to allow a specially crafted MITM attack t...
CVE-2022-36076 Account takeover via SSO plugins in NodeBB
NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. Due to an unnecessarily strict conditional in the code handling the first step of the SSO process, the pre-existing logic that added and later checked a nonce was inadvertently rendered opt-i...
PT-2022-23164 · Nodebb · Nodebb Forum
Name of the Vulnerable Software and Affected Versions: NodeBB Forum Software versions prior to 1.17.2 Description: The issue is caused by an unnecessarily strict conditional in the code handling the first step of the Single Sign-On SSO process. This conditional inadvertently rendered the...
NodeBB Forum Software 跨站请求伪造漏洞
NodeBB is a forum system from the Design Create Play team built using Node.js, a web application platform built on top of Google's V8 JavaScript engine. A cross-site request forgery vulnerability exists in NodeBB Forum Software versions prior to 1.17.1, which stems from an unwanted condition in t...
Privilege Escalation
nodebb is vulnerable to privilege escalation. The vulnerability exists due to the insecure pseudo-random number generator in the module.exports function of utils.js, allowing an attacker to provide a specially crafted script combined with multiple invocations of the password reset functionality a...
CVE-2022-36045
NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. It utilizes web sockets for instant interactions and real-time notifications. utils.generateUUID, a helper function available in essentially all versions of NodeBB as far back as v1.0.1 and...
Code injection
NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. It utilizes web sockets for instant interactions and real-time notifications. utils.generateUUID, a helper function available in essentially all versions of NodeBB as far back as v1.0.1 and...
CVE-2022-36045 Account takeover via cryptographically weak PRNG in NodeBB Forum
NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. It utilizes web sockets for instant interactions and real-time notifications. utils.generateUUID, a helper function available in essentially all versions of NodeBB as far back as v1.0.1 and...
CVE-2022-36045 Account takeover via cryptographically weak PRNG in NodeBB Forum
NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. It utilizes web sockets for instant interactions and real-time notifications. utils.generateUUID, a helper function available in essentially all versions of NodeBB as far back as v1.0.1 and...
CVE-2022-36045
CVE-2022-36045 affects NodeBB Forum Software. The root cause is a cryptographically weak PRNG used by the helper function utils.generateUUID (uses Math.random()), enabling an attacker to possibly calculate reset codes and takeover an account without victim involvement. Affected versions include e...
CVE-2022-36045 Account takeover via cryptographically weak PRNG in NodeBB Forum
NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. It utilizes web sockets for instant interactions and real-time notifications. utils.generateUUID, a helper function available in essentially all versions of NodeBB as far back as v1.0.1 and...
多款 NodeBB 产品 安全特征问题漏洞
NodeBB is a forum system from the Design Create Play team built using Node.js, a web application platform built on top of Google's V8 JavaScript engine. A security signature issue vulnerability exists in NodeBB versions v0.21.0 through v0.31.0, which originates from a vulnerability that allows an...
Cryptographically weak PRNG in `utils.generateUUID`
In Brief utils.generateUUID, a helper function available in essentially all versions of NodeBB as far back as v1.0.1 and potentially earlier used a cryptographically insecure Pseudo-random number generator Math.random, which meant that a specially crafted script combined with multiple invocations...
GHSA-P4CC-W597-6CPM Cryptographically weak PRNG in `utils.generateUUID`
In Brief utils.generateUUID, a helper function available in essentially all versions of NodeBB as far back as v1.0.1 and potentially earlier used a cryptographically insecure Pseudo-random number generator Math.random, which meant that a specially crafted script combined with multiple invocations...
PT-2022-4655 · Nodebb · Nodebb
Name of the Vulnerable Software and Affected Versions: NodeBB Forum Software versions prior to 1.19.7 NodeBB Forum Software versions prior to 2.0.0 Description: The utils.generateUUID helper function in NodeBB Forum Software uses a cryptographically insecure pseudo-random number generator...
Malicious code in nodebb-theme-opera (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 0a769de2deb47651c7854cd9d1559f3a907a707f3cb60dcfd5aefb5af9d36a6f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2022-4895 Malicious code in nodebb-theme-opera (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 0a769de2deb47651c7854cd9d1559f3a907a707f3cb60dcfd5aefb5af9d36a6f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...