Vulnerability Description
NodeBB is Node.js based forum software. Starting in version 2.5.0 and prior to version 2.8.7, due to the use of the object destructuring assignment syntax in the user export code path, combined with a path traversal vulnerability, a specially crafted payload could invoke the user export logic to arbitrarily execute javascript files on the local disk. This issue is patched in version 2.8.7. As a workaround, site maintainers can cherry pick the fix into their codebase to patch the exploit.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nodebb | Nodebb | >= 2.5.0, < 2.8.7 |
Related Weaknesses (CWE)
References
- https://github.com/NodeBB/NodeBB/commit/ec58700f6dff8e5b4af1544f6205ec362b593092Patch
- https://github.com/NodeBB/NodeBB/security/advisories/GHSA-vh2g-6c4x-5hmpVendor Advisory
- https://security.netapp.com/advisory/ntap-20230831-0004/
- https://github.com/NodeBB/NodeBB/commit/ec58700f6dff8e5b4af1544f6205ec362b593092Patch
- https://github.com/NodeBB/NodeBB/security/advisories/GHSA-vh2g-6c4x-5hmpVendor Advisory
- https://security.netapp.com/advisory/ntap-20230831-0004/
FAQ
What is CVE-2023-26045?
CVE-2023-26045 is a vulnerability with a CVSS score of 10.0 (CRITICAL). NodeBB is Node.js based forum software. Starting in version 2.5.0 and prior to version 2.8.7, due to the use of the object destructuring assignment syntax in the user export code path, combined with a...
How severe is CVE-2023-26045?
CVE-2023-26045 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2023-26045?
Check the references section above for vendor advisories and patch information. Affected products include: Nodebb Nodebb.