nodebb
npm12 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting nodebbpage 1 of 1
- CVE-2015-3296MEDIUMCVSS 6.1EG 6.1✓ Fixed in 0.702017-09-21
Multiple cross-site scripting (XSS) vulnerabilities in NodeBB before 0.7 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) javascript: or (2) data: URLs.
- CVE-2015-9286MEDIUMCVSS 6.1EG 6.1✓ Fixed in 0.8.22019-04-30
Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.
- CVE-2021-43786CRITICALCVSS 9.8EG 9.8✓ Fixed in 1.18.52021-11-29
Nodebb is an open source Node.js based forum software. In affected versions incorrect logic present in the token verification step unintentionally allowed master token access to the API. The vulnerability has been patch as of v1.18.5. User…
- CVE-2021-43787CRITICALCVSS 9.0EG 9.0✓ Fixed in 1.18.52021-11-29
Nodebb is an open source Node.js based forum software. In affected versions a prototype pollution vulnerability in the uploader module allowed a malicious user to inject arbitrary data (i.e. javascript) into the DOM, theoretically allowing…
- CVE-2021-43788MEDIUMCVSS 5.0EG 5.0✓ Fixed in 1.18.52021-11-29
Nodebb is an open source Node.js based forum software. Prior to v1.18.5, a path traversal vulnerability was present that allowed users to access JSON files outside of the expected `languages/` directory. The vulnerability has been patched …
- CVE-2022-36045CRITICALCVSS 9.0EG 9.0✓ Fixed in 2.0.12022-08-31
vulnerable: 2.0.0
NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. It utilizes web sockets for instant interactions and real-time notifications. `utils.generateUUID`, a helper function available in es…
- CVE-2022-36076HIGHCVSS 8.8EG 8.8✓ Fixed in 1.17.22022-09-02
NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. Due to an unnecessarily strict conditional in the code handling the first step of the SSO process, the pre-existing logic that added …
- CVE-2022-3978MEDIUMCVSS 4.3EG 4.3✓ Fixed in 2.5.82022-11-13
A vulnerability, which was classified as problematic, was found in NodeBB up to 2.5.7. This affects an unknown part of the file /register/abort. The manipulation leads to cross-site request forgery. It is possible to initiate the attack re…
- CVE-2022-46164CRITICALCVSS 9.4EG 9.4✓ Fixed in 2.6.12022-12-05
NodeBB is an open source Node.js based forum software. Due to a plain object with a prototype being used in socket.io message handling a specially crafted payload can be used to impersonate other users and takeover accounts. This vulnerabi…
- CVE-2023-26045CRITICALCVSS 10.0EG 10.0✓ Fixed in 2.8.72023-07-24
NodeBB is Node.js based forum software. Starting in version 2.5.0 and prior to version 2.8.7, due to the use of the object destructuring assignment syntax in the user export code path, combined with a path traversal vulnerability, a specia…
- CVE-2023-2850MEDIUMCVSS 4.7EG 4.7✓ Fixed in 2.8.132023-07-25
NodeBB is affected by a Cross-Site WebSocket Hijacking vulnerability due to missing validation of the request origin. Exploitation of this vulnerability allows certain user information to be extracted by attacker.
- CVE-2024-29316MEDIUMCVSS 6.3EG 6.3✓ Fixed in 3.6.72024-03-28
NodeBB 3.6.7 is vulnerable to Incorrect Access Control, e.g., a low-privileged attacker can access the restricted tabs for the Admin group via "isadmin":true.
Check whether nodebb is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for nodebb CVEs against the assets you own.
Start Free Scan →