Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-2850: Unintentional leakage of private information via cross-origin websocket session hijacking

NodeBB is affected by a Cross-Site WebSocket Hijacking vulnerability due to missing validation of the request origin. Exploitation of this vulnerability allows certain user information to be extracted by attacker.

CVE
#vulnerability#web#git

Skip to content

    • Actions

      Automate any workflow

    • Packages

      Host and manage packages

    • Security

      Find and fix vulnerabilities

    • Codespaces

      Instant dev environments

    • Copilot

      Write better code with AI

    • Code review

      Manage code changes

    • Issues

      Plan and track work

    • Discussions

      Collaborate outside of code

    • GitHub Sponsors

      Fund open source developers

*   The ReadME Project
    
    GitHub community articles
  • Pricing

Affected versions

3.0.0 - 3.1.2, < 2.8.13

Patched versions

3.1.3, 2.8.13

Description

Impact

Private messages or posts might be leaked to third parties if victim opens the attackers site while browsing nodebb.

Patches

  • Patched in v3.1.3
  • Backported to v2.x line via v2.8.13

Workarounds

Users can cherry-pick 51096ad if they are on v3.x

If you are running v2.x of NodeBB, you can cherry-pick a5d92da followed by 62e162c

Related news

GHSA-4qcv-qf38-5j3j: Unintentional leakage of private information via cross-origin websocket session hijacking

### Impact Private messages or posts might be leaked to third parties if victim opens the attackers site while browsing nodebb. ### Patches * Patched in v3.1.3 * Backported to v2.x line via v2.8.13 ### Workarounds Users can cherry-pick https://github.com/NodeBB/NodeBB/commit/51096ad2345fb1d1380bec0a447113489ef6c359 if they are on v3.x If you are running v2.x of NodeBB, you can cherry-pick a5d92da9ddac5607ab7f737520a66eaed6d3ddee followed by 62e162cf1e735e42462be1db9b4954b5a69accdf

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907