NodeBB vulnerable to path traversal and code execution via prototype vulnerability
CVE-2023-26045
10CRITICAL
What is CVE-2023-26045?
NodeBB, a Node.js-based forum software, is susceptible to a path traversal flaw due to the way it handles object destructuring in its user export functionality. This vulnerability affects versions 2.5.0 through 2.8.6, allowing an attacker to craft a malicious payload that could trigger the user export logic, potentially leading to the execution of arbitrary JavaScript files located on the server. The issue can be mitigated by updating to version 2.8.7 or by integrating a cherry-picked fix into the existing codebase. For more information, refer to the security advisory and patch details provided by NodeBB.
Affected Version(s)
NodeBB >= 2.5.0, < 2.8.7
