Description
NodeBB is an open source Node.js based forum software. Due to a plain object with a prototype being used in socket.io message handling a specially crafted payload can be used to impersonate other users and takeover accounts. This vulnerability has been patched in version 2.6.1. Users are advised to upgrade. Users unable to upgrade may cherry-pick commit `48d143921753914da45926cca6370a92ed0c46b8` into their codebase to patch the exploit.
Remediation
References
https://github.com/NodeBB/NodeBB/commit/48d143921753914da45926cca6370a92ed0c46b8
https://github.com/NodeBB/NodeBB/security/advisories/GHSA-rf3g-v8p5-p675
Related Vulnerabilities
CVE-2022-41940 Vulnerability in maven package org.webjars.npm:engine.io
CVE-2023-22467 Vulnerability in maven package org.webjars.npm:luxon
CVE-2021-29469 Vulnerability in npm package redis
CVE-2023-38695 Vulnerability in npm package @simonsmith/cypress-image-snapshot
CVE-2022-47551 Vulnerability in maven package io.apiman:apiman-manager-api-beans