Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-43787: Release v1.18.5 · NodeBB/NodeBB

Nodebb is an open source Node.js based forum software. In affected versions a prototype pollution vulnerability in the uploader module allowed a malicious user to inject arbitrary data (i.e. javascript) into the DOM, theoretically allowing for an account takeover when used in conjunction with a path traversal vulnerability disclosed at the same time as this report. The vulnerability has been patched as of v1.18.5. Users are advised to upgrade as soon as possible.

CVE
Open in Source
#vulnerability#windows#redis#nodejs#js#java

🚨 This release contains security patches. You are advised to upgrade to this version as soon as possible.

Release build (patch) of NodeBB @ 2021-10-27T16:47:58.522Z

v1.18.5 (2021-10-27)****Breaking Changes

  • disable javascript in custom less tab (719cfc0)

Chores

  • up themes (463b207)
  • up persona (1438f40)
  • incrementing version number - v1.18.4 (945c2b0)
  • update changelog for v1.18.4 (7cbcb52)
  • deps:
    • update dependency lint-staged to v11.2.6 (8d4bb8b)
    • update dependency lint-staged to v11.2.5 (0728a99)
    • update dependency lint-staged to v11.2.4 (f76a788)
    • update dependency husky to v7.0.4 (2a3e13f)
    • update dependency mocha to v9.1.3 (4784f01)
    • update dependency eslint-plugin-import to v2.25.2 (3c3f45d)
    • update dependency jsdom to v18 (4b8dcd4)
    • update dependency eslint-plugin-import to v2.25.1 (7c4aebb)
    • update dependency lint-staged to v11.2.3 (288b545)
    • update dependency lint-staged to v11.2.2 (f96c8c4)
    • update dependency @commitlint/cli to v13.2.1 (52c38a1)
    • update dependency lint-staged to v11.2.1 (022e8df)
    • update dependency eslint-config-nodebb to v0.0.3 (4b92df8)
  • i18n:
    • fallback strings for new resources: nodebb.admin-settings-email, nodebb.error (9b68dc3)
    • fallback strings for new resources: nodebb.admin-dashboard (ff962b5)
    • fallback strings for new resources: nodebb.admin-dashboard, nodebb.admin-menu (abe5913)
    • fallback strings for new resources: nodebb.admin-manage-digest, nodebb.admin-settings-user, nodebb.user (2bed40b)

Documentation Changes

  • update verbiage re: login API route (94c4f87b)

New Features

  • new ACP option emailPrompt … which allows administrators to disable the client-side prompt to encourage users to enter or confirm their email addresses (80ea12c)
  • show popular searches (f4cf482)
  • new plugin hook to allow plugins to reject email address on new registration or email change (6b4f35c)
  • utilities login API route now starts an actual login session, if requested (806a1e5)
  • add method name to deprecation message (b91ae08)
  • quote tooltip (66fca4e)
  • additional quality options for jpeg uploads, added quality and compression settings for png uploads (d22b076)
  • #8053, biweekly digest option (f7967bd)
  • core submit button dropdown (605a538)
  • added failing i18n tests (35af763)
  • confirm before deleting all events (#9875) (56d05b4)

Bug Fixes

  • deps:
    • update dependency nodebb-theme-vanilla to v12.1.7 (#9944) (bf20965)
    • update dependency nodebb-theme-persona to v11.2.19 (#9943) (bcf85fc)
    • update dependency nodebb-rewards-essentials to v0.2.0 (7c2ecb1)
    • update dependency nodebb-theme-vanilla to v12.1.6 (49b8b98)
    • update dependency nodebb-theme-persona to v11.2.18 (ed0adf2)
    • update dependency nodebb-theme-persona to v11.2.17 (7866107)
    • update dependency postcss to v8.3.11 (a5f4e20)
    • update dependency nodebb-theme-vanilla to v12.1.5 (d74a6bd)
    • update dependency sharp to v0.29.2 (8b8fe39)
    • update dependency postcss to v8.3.10 (b18a24e)
    • update dependency nodebb-theme-persona to v11.2.15 (f3c8d7d)
    • update dependency nodebb-theme-persona to v11.2.14 (#9919) (5e08e67)
    • update dependency socket.io-client to v4.3.2 (deba3e2)
    • update dependency socket.io to v4.3.1 (e1554f6)
    • update socket.io packages (ce5a0a2)
    • update dependency nodebb-plugin-spam-be-gone to v0.7.10 (600a872)
    • update dependency nodebb-plugin-composer-default to v7.0.10 (b0128f8)
    • update dependency nodebb-plugin-markdown to v8.14.4 (f8f35d7)
    • update dependency nodebb-plugin-composer-default to v7.0.9 (ed87466)
    • update dependency nodebb-theme-persona to v11.2.13 (1dba75e)
    • update dependency ioredis to v4.28.0 (4ff5452)
    • update dependency nodebb-theme-persona to v11.2.12 (fe9f82f)
    • update dependency ioredis to v4.27.11 (6d2e0aa)
    • update dependency nodebb-plugin-mentions to v2.14.1 (820f8cd)
    • update dependency jquery-ui to v1.13.0 (b0eb2ae)
  • remove loading="lazy", fixes inf. scroll loaded images (0157278)
  • windows tests (25ebbd6)
  • undefined query showing in searches (6cfaea0)
  • don’t repeat search if on same page (89f5e06)
  • api session revoke test (0926ae6)
  • crash (da64810)
  • add missing translation (eb075c7)
  • move record to controller (ee8e048)
  • profile edit fields showing translated values (63572c2)
  • #9934, fix translator test (8d316d1)
  • token verify (04dab1d)
  • guard against prototype pollution (1783f91)
  • translator path traversal (c8b2fc4)
  • there is no alltime digest, fixes translation in test email (e62948f)
  • clicking outside postContainer should close tooltip (47df62e)
  • minification regression (998b9e7)
  • tooltip (fec7ebe)
  • biweekly digest #8053 (9cb4de5)
  • restore plugin upgrade checking logic (4468739)
  • fallbacks for new langauge key (ed4ebd2)
  • #9917, show topics as unread for guests (4333d21)
  • clarify site settings urls vs config.json url (#9912) (6436aa6)
  • clarify SMTP enable toggle (#9911) (09f198f)
  • don’t overwrite reloadRequired with false (9e0ce02)
  • delete translations in admin/general folder (since general was removed and relocated elsewhere) (b460e59)
  • pushed missing key to tx and pulled fallbacks (21b6108)
  • adding missing language namespace “top” (0f9b0b7)
  • extra debug log (bd893cd)
  • have renovate add dependencies label to its PRs (eddb986)
  • no global bootbox (#9879) (227456f)
  • #9872 update app badge with notification count if applicable (3e69bcd)
  • better nomenclature (c1149d0)
  • html attributes (#9877) (3acaac4)
  • escape thumbs, allow robots meta tag (4f9717f)
  • missing translations (#9876) (7935bd9)

Performance Improvements

  • dont fs.open if plugin doesnt have language namespace (#9893) (1feb111)

Refactors

  • wider value field (c428ba8)
  • dont save partial searches (c7e078d)
  • use search api for topic search (6419273)
  • slowdown quick search (19ee717)
  • typo (a528790)
  • add callback to loadNotifications (f02fba2)
  • simplified utilities API > login rout (506c34a)
  • log error as well (1d62bd6)
  • catch errors from buildHeader in error handler 🔥 (73a9ca0)
  • add missing helpers.tryRoute (d4da984)
  • shorter middleware (ee0282f)
  • meta/minifier use async/await (b2429ef)
  • remove unused var (90b8126)
  • catch errors from digest (8e319a9)
  • less.render returns promise (14bc83a)
  • less.render already returns promise (6da3239)
  • prompt.get already returns promise (c70eaa0)
  • no need for async/callbacks (057d1d5)
  • no more 🐮 (38756a0)
  • allow array of uids for blocks.is/list (a9bc6a0)
  • show full url on error log (8e6bd7e)
  • var to const and let (#9885) (b0a24d6)
  • remove unused code (997fb2b)
  • remove unused colorpicker (543d852)

Reverts

  • lazy load (3d1cf16)

Tests

  • fix broken openapi3 schema (7ef5214)
  • restore commented-out i18n test (fa1afbc)
  • moved topic event and topic thumb tests to subfolder for better organisation (154ffea)
  • remove escape (6c25b9d)
  • possible fix to timeout (63109c0)
  • increase timeout (8654a99)

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE