CVE-2023-30591

Denial-of-service in NodeBB <= v2.8.10 allows unauthenticated attackers to trigger a crash, when invoking `eventName.startsWith()` or `eventName.toString()`, while processing Socket.IO messages via crafted Socket.IO messages containing array or object type for the event name respectively.
Configurations

Configuration 1 (hide)

cpe:2.3:a:nodebb:nodebb:*:*:*:*:*:*:*:*

History

02 Oct 2023, 18:19

Type Values Removed Values Added
References (MISC) https://github.com/NodeBB/NodeBB/commit/37b48b82a4bc7680c6e4c42647209010cb239c2c - (MISC) https://github.com/NodeBB/NodeBB/commit/37b48b82a4bc7680c6e4c42647209010cb239c2c - Patch
References (MISC) https://github.com/NodeBB/NodeBB/commit/830f142b7aea2e597294a84d52c05aab3a3539ca - (MISC) https://github.com/NodeBB/NodeBB/commit/830f142b7aea2e597294a84d52c05aab3a3539ca - Patch
References (MISC) https://starlabs.sg/advisories/23/23-30591/ - (MISC) https://starlabs.sg/advisories/23/23-30591/ - Third Party Advisory
References (MISC) https://github.com/NodeBB/NodeBB/commit/4d2d76897a02e7068ab74c81d17a2febfae8bfb9 - (MISC) https://github.com/NodeBB/NodeBB/commit/4d2d76897a02e7068ab74c81d17a2febfae8bfb9 - Patch
CPE cpe:2.3:a:nodebb:nodebb:*:*:*:*:*:*:*:*
CWE CWE-754
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
First Time Nodebb
Nodebb nodebb

29 Sep 2023, 06:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-09-29 06:15

Updated : 2024-02-28 20:33


NVD link : CVE-2023-30591

Mitre link : CVE-2023-30591

CVE.ORG link : CVE-2023-30591


JSON object : View

Products Affected

nodebb

  • nodebb
CWE
CWE-754

Improper Check for Unusual or Exceptional Conditions

CWE-241

Improper Handling of Unexpected Data Type