CVE-2022-46164

Published: Dec 5, 2022Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

NodeBB is an open source Node.js based forum software. Due to a plain object with a prototype being used in socket.io message handling a specially crafted payload can be used to impersonate other users and takeover accounts. This vulnerability has been patched in version 2.6.1. Users are advised to upgrade. Users unable to upgrade may cherry-pick commit `48d143921753914da45926cca6370a92ed0c46b8` into their codebase to patch the exploit.

Affected (1)

Products: Nodebb: Nodebb

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Nodebb Nodebb	Before 2.6.1

Related CWEs

Improper Initialization

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

References (4)

https://github.com/NodeBB/NodeBB/commit/48d143921753914da45926cca6370a92ed0c46b8

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/NodeBB/NodeBB/security/advisories/GHSA-rf3g-v8p5-p675

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/NodeBB/NodeBB/commit/48d143921753914da45926cca6370a92ed0c46b8

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/NodeBB/NodeBB/security/advisories/GHSA-rf3g-v8p5-p675

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.