Denial-of-service in NodeBB <= v2.8.10 allows unauthenticated attackers to trigger a crash, when invoking `eventName.startsWith()` or `eventName.toString()`, while processing Socket.IO messages via crafted Socket.IO messages containing array or object type for the event name respectively.
References
Configurations
History
02 Oct 2023, 18:19
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://github.com/NodeBB/NodeBB/commit/37b48b82a4bc7680c6e4c42647209010cb239c2c - Patch | |
References | (MISC) https://github.com/NodeBB/NodeBB/commit/830f142b7aea2e597294a84d52c05aab3a3539ca - Patch | |
References | (MISC) https://starlabs.sg/advisories/23/23-30591/ - Third Party Advisory | |
References | (MISC) https://github.com/NodeBB/NodeBB/commit/4d2d76897a02e7068ab74c81d17a2febfae8bfb9 - Patch | |
CPE | cpe:2.3:a:nodebb:nodebb:*:*:*:*:*:*:*:* | |
CWE | CWE-754 | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
First Time |
Nodebb
Nodebb nodebb |
29 Sep 2023, 06:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-09-29 06:15
Updated : 2024-02-28 20:33
NVD link : CVE-2023-30591
Mitre link : CVE-2023-30591
CVE.ORG link : CVE-2023-30591
JSON object : View
Products Affected
nodebb
- nodebb