Description

Nodebb is an open source Node.js based forum software. Prior to v1.18.5, a path traversal vulnerability was present that allowed users to access JSON files outside of the expected `languages/` directory. The vulnerability has been patched as of v1.18.5. Users are advised to upgrade as soon as possible.

Remediation

References

https://blog.sonarsource.com/nodebb-remote-code-execution-with-one-shot/

https://github.com/NodeBB/NodeBB/commit/c8b2fc46dc698db687379106b3f01c71b80f495f

https://github.com/NodeBB/NodeBB/releases/tag/v1.18.5

https://github.com/NodeBB/NodeBB/security/advisories/GHSA-pfj7-2qfw-vwgm

Related Vulnerabilities

CVE-2020-7774 Vulnerability in maven package org.webjars.npm:y18n

CVE-2023-45143 Vulnerability in npm package undici

CVE-2014-0002 Vulnerability in maven package org.apache.camel:camel-core

CVE-2021-29418 Vulnerability in npm package netmask

CVE-2022-36921 Vulnerability in maven package org.jenkins-ci.plugins:coverity

Severity

Medium

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Tags

Exploit Third Party Advisory Patch Release Notes NVD-CWE-noinfo