Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-rf3g-v8p5-p675: NodeBB vulnerable to account takeover via prototype vulnerability

Impact

Due to a plain object with a prototype being used in socket.io message handling a specially crafted payload can be used to impersonate other users and takeover accounts.

Patches

Patched in 2.6.1

Workarounds

Site maintainers can cherry-pick https://github.com/NodeBB/NodeBB/commit/48d143921753914da45926cca6370a92ed0c46b8 into their codebase to patch the exploit.

For more information

If you have any questions or comments about this advisory:

Discuss it on our community forum Email us at [email protected]

ghsa
Open in Source
#vulnerability#git

NodeBB vulnerable to account takeover via prototype vulnerability

Critical severity GitHub Reviewed Published Dec 5, 2022 in NodeBB/NodeBB • Updated Dec 5, 2022

Related news

CVE-2022-46164: fix: prototype vulnerability in socket.io onMessage · NodeBB/NodeBB@48d1439

NodeBB is an open source Node.js based forum software. Due to a plain object with a prototype being used in socket.io message handling a specially crafted payload can be used to impersonate other users and takeover accounts. This vulnerability has been patched in version 2.6.1. Users are advised to upgrade. Users unable to upgrade may cherry-pick commit `48d143921753914da45926cca6370a92ed0c46b8` into their codebase to patch the exploit.

ghsa: Latest News

GHSA-mj5r-x73q-fjw6: SPEmailHandler-PHP has Potential Abuse for Sending Arbitrary Emails
ghsa