← Voltar para CVEs

CVE-2022-46164

CRITICAL

9.4

Descricao

NodeBB is an open source Node.js based forum software. Due to a plain object with a prototype being used in socket.io message handling a specially crafted payload can be used to impersonate other users and takeover accounts. This vulnerability has been patched in version 2.6.1. Users are advised to upgrade. Users unable to upgrade may cherry-pick commit `48d143921753914da45926cca6370a92ed0c46b8` into their codebase to patch the exploit.

Detalhes CVE

Pontuacao CVSS v3.19.4

SeveridadeCRITICAL

Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Vetor de ataqueNETWORK

ComplexidadeLOW

Privilegios necessariosNONE

Interacao do usuarioNONE

Publicado12/5/2022

Ultima modificacao11/21/2024

Fontenvd

Avistamentos honeypot0

Produtos afetados

nodebb:nodebb

Fraquezas (CWE)

CWE-665

Referencias

https://github.com/NodeBB/NodeBB/commit/48d143921753914da45926cca6370a92ed0c46b8(security-advisories@github.com)

https://github.com/NodeBB/NodeBB/security/advisories/GHSA-rf3g-v8p5-p675(security-advisories@github.com)

https://github.com/NodeBB/NodeBB/commit/48d143921753914da45926cca6370a92ed0c46b8(af854a3a-2127-422b-91ae-364da2661108)

https://github.com/NodeBB/NodeBB/security/advisories/GHSA-rf3g-v8p5-p675(af854a3a-2127-422b-91ae-364da2661108)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.