Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-3978: Release v2.5.8 · NodeBB/NodeBB

A vulnerability, which was classified as problematic, was found in NodeBB up to 2.5.7. This affects an unknown part of the file /register/abort. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to version 2.5.8 is able to address this issue. The name of the patch is 2f9d8c350e54543f608d3d4c8e1a49bbb6cdea38. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-213555.

CVE
Open in Source
#csrf#vulnerability#nodejs

Release build (patch) of NodeBB @ 2022-11-09T18:46:09.127Z

v2.5.8 (2022-11-09)****Chores

  • really fix indents this time (c2024f3)
  • fix indents (d50512e)
  • add bootstrap5 to test runner for now (be5d6d2)
  • incrementing version number - v2.5.7 (5836bf4)
  • update changelog for v2.5.7 (17e948a)
  • incrementing version number - v2.5.6 (c7bd7db)
  • incrementing version number - v2.5.5 (3509ed9)
  • incrementing version number - v2.5.4 (e83260c)
  • incrementing version number - v2.5.3 (7e92293)
  • incrementing version number - v2.5.2 (babcd17)
  • incrementing version number - v2.5.1 (ce3aa95)
  • incrementing version number - v2.5.0 (01d276c)
  • incrementing version number - v2.4.5 (dd3e1a2)
  • incrementing version number - v2.4.4 (d5525c8)
  • incrementing version number - v2.4.3 (9c647c6)
  • incrementing version number - v2.4.2 (3aa7b85)
  • incrementing version number - v2.4.1 (60cbd14)
  • incrementing version number - v2.4.0 (4834cde)
  • incrementing version number - v2.3.1 (d242594)
  • incrementing version number - v2.3.0 (046ea12)

New Features

  • new search hooks (b5d38bc)
  • add search data to filter:search.inContent (e3f2156)

Bug Fixes

  • pass csrf_token into calls to /register/abort, #11017 (2f9d8c3)
  • check for csrf token on /register/abort, + theme changes for v2.x branches of themes (55a197a)
  • upgrade script to work from 0.x to 2.x (a31ba82)
  • #10519, image height in emails (673261f)
  • fallback language strings for #10987 (b9c8c02)
  • #10993, apply autoLocale middleware to guests only (6f673f8)
  • check cid as well as template (9227b82)
  • revert breaking change, add back SocketUser.emailConfirm (9ee30fe)
  • in appropriately named language key email-confirm-email2 (09f3ac6)
  • correctly pass dev flag to package installer (7672194)
  • use --omit=dev flag for npm instead of --production (09cfd0b)

Refactors

  • use utils.debounce (d264c6a)

Tests

  • fix tests again (06d1539)
  • fix test (c833d3c)

Related news

GHSA-5gwx-wf9g-r5mx: NodeBB vulnerable to Cross-Site Request Forgery

A vulnerability was found in NodeBB up to 2.5.7. This affects an unknown part of the file /register/abort. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to version 2.5.8 is able to address this issue. The name of the patch is 2f9d8c350e54543f608d3d4c8e1a49bbb6cdea38. It is recommended to upgrade the affected component.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE