NodeBB is Node.js based forum software. Starting in version 2.5.0 and prior to version 2.8.7, due to the use of the object destructuring assignment syntax in the user export code path, combined with a path traversal vulnerability, a specially crafted payload could invoke the user export logic to arbitrarily execute javascript files on the local disk. This issue is patched in version 2.8.7. As a workaround, site maintainers can cherry pick the fix into their codebase to patch the exploit.
References
Configurations
History
21 Nov 2024, 07:50
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 10.0 |
References | () https://github.com/NodeBB/NodeBB/commit/ec58700f6dff8e5b4af1544f6205ec362b593092 - Patch | |
References | () https://github.com/NodeBB/NodeBB/security/advisories/GHSA-vh2g-6c4x-5hmp - Vendor Advisory | |
References | () https://security.netapp.com/advisory/ntap-20230831-0004/ - |
31 Aug 2023, 19:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
01 Aug 2023, 19:57
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://github.com/NodeBB/NodeBB/security/advisories/GHSA-vh2g-6c4x-5hmp - Vendor Advisory | |
References | (MISC) https://github.com/NodeBB/NodeBB/commit/ec58700f6dff8e5b4af1544f6205ec362b593092 - Patch | |
CPE | cpe:2.3:a:nodebb:nodebb:*:*:*:*:*:node.js:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
First Time |
Nodebb nodebb
Nodebb |
24 Jul 2023, 22:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-07-24 22:15
Updated : 2024-11-21 07:50
NVD link : CVE-2023-26045
Mitre link : CVE-2023-26045
CVE.ORG link : CVE-2023-26045
JSON object : View
Products Affected
nodebb
- nodebb
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')