Cross-Site WebSocket Hijacking in NodeBB by NodeBB
CVE-2023-2850

4.7MEDIUM

Key Information:

Vendor

Nodebb

Status
Vendor
CVE Published:
25 July 2023

What is CVE-2023-2850?

NodeBB is susceptible to a Cross-Site WebSocket Hijacking vulnerability stemming from inadequate validation of request origins. This weakness enables attackers to exploit the system, potentially gaining unauthorized access to sensitive user information. By leveraging this flaw, malicious actors could intercept WebSocket communications and extract valuable data from affected users. It is crucial for NodeBB users to take immediate action by updating to the latest version to mitigate these risks.

Affected Version(s)

NodeBB < 2.8.13 < 2.8.13

NodeBB >= 3.0.0, < 3.1.3 < 3.0.0, 3.1.3

References

CVSS V3.1

Score:
4.7
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Elliot Ward, Snyk
.