Vulnerabilities > CVE-2023-26045 - Unspecified vulnerability in Nodebb

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

nodebb

critical

NVD

Published: 2023-07-24

Updated: 2024-11-21

Summary

NodeBB is Node.js based forum software. Starting in version 2.5.0 and prior to version 2.8.7, due to the use of the object destructuring assignment syntax in the user export code path, combined with a path traversal vulnerability, a specially crafted payload could invoke the user export logic to arbitrarily execute javascript files on the local disk. This issue is patched in version 2.8.7. As a workaround, site maintainers can cherry pick the fix into their codebase to patch the exploit.

Vulnerable Configurations

Part	Description	Count
Application	Nodebb Nodebb Nodebb 2.5.0 Nodebb Nodebb 2.5.1 Nodebb Nodebb 2.5.2 Nodebb Nodebb 2.5.3 Nodebb Nodebb 2.5.4 Nodebb Nodebb 2.5.5 Nodebb Nodebb 2.5.6 Nodebb Nodebb 2.5.7 Nodebb Nodebb 2.5.8 Nodebb Nodebb 2.6.0 Nodebb Nodebb 2.6.1 Nodebb Nodebb 2.7.0 Nodebb Nodebb 2.8.0 Nodebb Nodebb 2.8.1 Nodebb Nodebb 2.8.2 Nodebb Nodebb 2.8.3 Nodebb Nodebb 2.8.4 Nodebb Nodebb 2.8.5 Nodebb Nodebb 2.8.6	19

Summary

Vulnerable Configurations

References