← back
CVE-2021-43786

API token verification can be bypassed

CVSS 9.8 CRITICALEPSS 2.3%CWE-287
Nodebb is an open source Node.js based forum software. In affected versions incorrect logic present in the token verification step unintentionally allowed master token access to the API. The vulnerability has been patch as of v1.18.5. Users are advised to upgrade as soon as possible.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
NodeBB · NodeBB

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://blog.sonarsource.com/nodebb-remote-code-execution-with-one-shot/https://github.com/NodeBB/NodeBB/commit/04dab1d550cdebf4c1567bca9a51f8b9ca48a500https://github.com/NodeBB/NodeBB/releases/tag/v1.18.5https://github.com/NodeBB/NodeBB/security/advisories/GHSA-hf2m-j98r-4fqw