Description
NodeBB is an open source Node.js based forum software. Due to a plain object with a prototype being used in socket.io message handling a specially crafted payload can be used to impersonate other users and takeover accounts. This vulnerability has been patched in version 2.6.1. Users are advised to upgrade. Users unable to upgrade may cherry-pick commit `48d143921753914da45926cca6370a92ed0c46b8` into their codebase to patch the exploit.
Remediation
References
https://github.com/NodeBB/NodeBB/commit/48d143921753914da45926cca6370a92ed0c46b8
https://github.com/NodeBB/NodeBB/security/advisories/GHSA-rf3g-v8p5-p675
Related Vulnerabilities
CVE-2021-32621 Vulnerability in maven package org.xwiki.platform:xwiki-platform-dashboard-macro
CVE-2022-24772 Vulnerability in npm package node-forge
CVE-2020-28168 Vulnerability in maven package org.webjars.bower:axios
CVE-2023-34238 Vulnerability in npm package gatsby-plugin-mdx
CVE-2023-47323 Vulnerability in maven package org.silverpeas.core:silverpeas-core-api