← back
CVE-2020-15149

Account takeover in NodeBB

CVSS 9.9 CRITICALEPSS 2.4%CWE-269
NodeBB before version 1.14.3 has a bug introduced in version 1.12.2 in the validation logic that makes it possible to change the password of any user on a running NodeBB forum by sending a specially crafted socket.io call to the server. This could lead to a privilege escalation event due via an account takeover. As a workaround you may cherry-pick the following commit from the project's repository to your running instance of NodeBB: 16cee1b03ba3eee177834a1fdac4aa8a12b39d2a. This is fixed in version 1.14.3.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Affected products
NodeBB · NodeBB
public PoCs found1
cve_referencepacketstormsecurity.com/files/159560/NodeBB-Forum-1.14.2-Account-Takeover.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/159560/NodeBB-Forum-1.14.2-Account-Takeover.htmlhttps://github.com/NodeBB/NodeBB/commit/c2477d9d5ffc43e5ffeb537ea2ceb4ce9592aa39https://github.com/NodeBB/NodeBB/security/advisories/GHSA-hr66-c8pg-5mg7https://zeroauth.ltd/blog/2020/08/20/proof-of-concept-exploit-for-cve-2020-15149-nodebb-arbitrary-user-password-change/