NodeBB vulnerable to path traversal and code execution via prototype vulnerability
CVE-2023-26045

10CRITICAL

Key Information:

Vendor

Nodebb

Status
Vendor
CVE Published:
24 July 2023

What is CVE-2023-26045?

NodeBB, a Node.js-based forum software, is susceptible to a path traversal flaw due to the way it handles object destructuring in its user export functionality. This vulnerability affects versions 2.5.0 through 2.8.6, allowing an attacker to craft a malicious payload that could trigger the user export logic, potentially leading to the execution of arbitrary JavaScript files located on the server. The issue can be mitigated by updating to version 2.8.7 or by integrating a cherry-picked fix into the existing codebase. For more information, refer to the security advisory and patch details provided by NodeBB.

Affected Version(s)

NodeBB >= 2.5.0, < 2.8.7

References

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.