CVE-2022-46164

Опубликовано: 05 дек. 2022

Источник: nvd

CVSS3: 9.4

CVSS3: 9.8

EPSS Средний

Описание

NodeBB is an open source Node.js based forum software. Due to a plain object with a prototype being used in socket.io message handling a specially crafted payload can be used to impersonate other users and takeover accounts. This vulnerability has been patched in version 2.6.1. Users are advised to upgrade. Users unable to upgrade may cherry-pick commit 48d143921753914da45926cca6370a92ed0c46b8 into their codebase to patch the exploit.

Ссылки

https://github.com/NodeBB/NodeBB/commit/48d143921753914da45926cca6370a92ed0c46b8
Patch
Third Party Advisory
https://github.com/NodeBB/NodeBB/security/advisories/GHSA-rf3g-v8p5-p675
Patch
Third Party Advisory
https://github.com/NodeBB/NodeBB/commit/48d143921753914da45926cca6370a92ed0c46b8
Patch
Third Party Advisory
https://github.com/NodeBB/NodeBB/security/advisories/GHSA-rf3g-v8p5-p675
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:nodebb:nodebb:*:*:*:*:*:*:*:*

Версия до 2.6.1 (исключая)

EPSS

Процентиль: 98%

0.56836

Средний

9.4 Critical

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-665

Связанные уязвимости

GHSA-rf3g-v8p5-p675

CVSS3: 9.4

github

около 3 лет назад

NodeBB vulnerable to account takeover via prototype vulnerability

EPSS

Процентиль: 98%

0.56836

Средний

9.4 Critical

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-665