Vulnerabilities > CVE-2021-43786 - Unspecified vulnerability in Nodebb

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

nodebb

NVD

Published: 2021-11-29

Updated: 2024-11-21

Summary

Nodebb is an open source Node.js based forum software. In affected versions incorrect logic present in the token verification step unintentionally allowed master token access to the API. The vulnerability has been patch as of v1.18.5. Users are advised to upgrade as soon as possible.

Vulnerable Configurations

Part	Description	Count
Application	Nodebb Nodebb Nodebb 1.15.0 Nodebb Nodebb 1.15.1 Nodebb Nodebb 1.15.2 Nodebb Nodebb 1.15.3 Nodebb Nodebb 1.15.4 Nodebb Nodebb 1.15.5 Nodebb Nodebb 1.16.0 Nodebb Nodebb 1.16.1 Nodebb Nodebb 1.16.2 Nodebb Nodebb 1.17.0 Nodebb Nodebb 1.17.1 Nodebb Nodebb 1.18.4	87

References

https://blog.sonarsource.com/nodebb-remote-code-execution-with-one-shot/
https://blog.sonarsource.com/nodebb-remote-code-execution-with-one-shot/
https://github.com/NodeBB/NodeBB/commit/04dab1d550cdebf4c1567bca9a51f8b9ca48a500
https://github.com/NodeBB/NodeBB/commit/04dab1d550cdebf4c1567bca9a51f8b9ca48a500
https://github.com/NodeBB/NodeBB/releases/tag/v1.18.5
https://github.com/NodeBB/NodeBB/releases/tag/v1.18.5
https://github.com/NodeBB/NodeBB/security/advisories/GHSA-hf2m-j98r-4fqw
https://github.com/NodeBB/NodeBB/security/advisories/GHSA-hf2m-j98r-4fqw