Malicious Package

Overview nodebb-theme-opera is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this packag...

GHSA-9G4F-5RPG-4948 NodeBB Cross-site Scripting Vulnerability in Markdown Processing

Multiple cross-site scripting XSS vulnerabilities in NodeBB before 0.7 allow remote attackers to inject arbitrary web script or HTML via vectors related to 1 javascript: or 2 data: URLs...

NodeBB Cross-site Scripting Vulnerability in Markdown Processing

Multiple cross-site scripting XSS vulnerabilities in NodeBB before 0.7 allow remote attackers to inject arbitrary web script or HTML via vectors related to 1 javascript: or 2 data: URLs...

Bug Bounty Adventures: A NodeBB 0-day

Research Bug Bounty Adventures: A NodeBB 0-day Share March 25th, 2022 Opera maintains both apublic bug bounty program, and a private program, where security researchers can submit security issues they have found in Opera’s products for cash rewards. We like to highlight some of the issues that ha...

Nodebb has an unspecified vulnerability

NodeBB is a forum system built by the Design Create Play team using Node.js, a web application platform built on top of Google's V8 JavaScript engine. nodebb has a security vulnerability that could be exploited by attackers to access locations outside of restricted directories...

Nodebb path traversal vulnerability

NodeBB is a forum system built by the Design Create Play team using Node.js, a web application platform built on top of Google's V8 JavaScript engine. Nodebb is vulnerable to a path traversal vulnerability that could be exploited to access locations outside of restricted directories...

Nodebb licensing issue vulnerability

NodeBB is a forum system built by the Design Create Play team using Node.js, a web application platform built on top of Google's V8 JavaScript engine. an authorization issue vulnerability exists in Nodebb, which stems from a faulty token authentication logic in the product, and could be exploited...

GHSA-HF2M-J98R-4FQW API token verification can be bypassed in NodeBB

Impact Incorrect logic present in the token verification step unintentionally allowed master token access to the API. Patches The vulnerability has been patch as of v1.18.5. Workarounds Cherry-pick commit hash 04dab1d550cdebf4c1567bca9a51f8b9ca48a500 to receive this patch in lieu of a full upgrad...

API token verification can be bypassed in NodeBB

Impact Incorrect logic present in the token verification step unintentionally allowed master token access to the API. Patches The vulnerability has been patch as of v1.18.5. Workarounds Cherry-pick commit hash 04dab1d550cdebf4c1567bca9a51f8b9ca48a500 to receive this patch in lieu of a full upgrad...

GHSA-WX69-RVG3-X7FC XSS via prototype pollution in NodeBB

Impact A prototype pollution vulnerability in the uploader module allowed a malicious user to inject arbitrary data i.e. javascript into the DOM, theoretically allowing for an account takeover when used in conjunction with a path traversal vulnerability disclosed at the same time as this report...

XSS via prototype pollution in NodeBB

Impact A prototype pollution vulnerability in the uploader module allowed a malicious user to inject arbitrary data i.e. javascript into the DOM, theoretically allowing for an account takeover when used in conjunction with a path traversal vulnerability disclosed at the same time as this report...

GHSA-PFJ7-2QFW-VWGM NodeBB vulnerable to path traversal in translator module

Impact Prior to v1.18.5, a path traversal vulnerability was present that allowed users to access JSON files outside of the expected languages/ directory. Patches The vulnerability has been patched as of v1.18.5. Workarounds Cherry-pick commit hash c8b2fc46dc698db687379106b3f01c71b80f495f to recei...

NodeBB vulnerable to path traversal in translator module

Impact Prior to v1.18.5, a path traversal vulnerability was present that allowed users to access JSON files outside of the expected languages/ directory. Patches The vulnerability has been patched as of v1.18.5. Workarounds Cherry-pick commit hash c8b2fc46dc698db687379106b3f01c71b80f495f to recei...

Path Traversal

nodebb is vulnerable to path traversal. An attacker can access JSON files outside of the expected languages/ directory through the Languages.get function in languages.js...

NodeBB 1.18.4 - Remote Code Execution With One Shot

Message forums are used by many companies and open source projects to exchange with their users. NodeBB is the leading JavaScript-based forum solution, having over 12k stars on GitHub. Several popular companies are using NodeBB to establish a community around their flagship products. During recen...

CVE-2021-43786

Nodebb is an open source Node.js based forum software. In affected versions incorrect logic present in the token verification step unintentionally allowed master token access to the API. The vulnerability has been patch as of v1.18.5. Users are advised to upgrade as soon as possible...

CVE-2021-43788

Nodebb is an open source Node.js based forum software. Prior to v1.18.5, a path traversal vulnerability was present that allowed users to access JSON files outside of the expected languages/ directory. The vulnerability has been patched as of v1.18.5. Users are advised to upgrade as soon as...

CVE-2021-43787

Nodebb is an open source Node.js based forum software. In affected versions a prototype pollution vulnerability in the uploader module allowed a malicious user to inject arbitrary data i.e. javascript into the DOM, theoretically allowing for an account takeover when used in conjunction with a pat...

CVE-2021-43788

Nodebb is an open source Node.js based forum software. Prior to v1.18.5, a path traversal vulnerability was present that allowed users to access JSON files outside of the expected languages/ directory. The vulnerability has been patched as of v1.18.5. Users are advised to upgrade as soon as...

CVE-2021-43786

Nodebb is an open source Node.js based forum software. In affected versions incorrect logic present in the token verification step unintentionally allowed master token access to the API. The vulnerability has been patch as of v1.18.5. Users are advised to upgrade as soon as possible...