CVE-2022-3978 A vulnerability was found in NodeBB up to 2.5.7, which can be exploited to make remote requests forgery.

A critical vulnerability was discovered in NodeBB up to version 2.4.7. It is possible to issue a remote command on the affected server by using the GET request. The command may be executed with the permissions of the site administrator. There is no need to manually enter any command. It can be done automatically. This vulnerability has been assigned with the identifier VDB-211981. It is recommended to upgrade the affected component as soon A critical vulnerability was discovered in NodeBB up to version 2.4.7. It is possible to issue a remote command on the affected server by using the GET request. The command may be executed with the permissions of the site administrator. There is no need to manually enter any command. It can be done automatically. This vulnerability has been assigned with the identifier VDB-211981. It is recommended to upgrade the affected component as soon as possible.

Vulnerability details

A critical vulnerability was discovered in NodeBB up to version 2.4.7. It is possible to issue a remote command on the affected server by using the GET request. The command may be executed with the permissions of the site administrator. There is no need to manually enter any command. It can be done automatically. This vulnerability has been assigned with the identifier VDB-211981. It is recommended to upgrade the affected component as soon as possible.

Description of the Vulnerability

Vulnerable Server: NodeBB

Vulnerability overview

A vulnerability was discovered by the NodeBB core team in NodeBB up to version 2.4.7. It is possible to issue a remote command on the affected server by using the GET request. The command may be executed with the permissions of the site administrator. There is no need to manually enter any command. It can be done automatically. This vulnerability has been assigned with the identifier VDB-211981.

Technical details

This vulnerability is discovered in NodeBB, a web-based bulletin board system that allows users to create and share private text or image posts.
After the vulnerability was identified, the developer of NodeBB released a patch for this vulnerability. This fix can be obtained from the following link: https://github.com/nodebb/nodebb/pull/1902

Timeline

Published on: 11/13/2022 14:15:00 UTC
Last modified on: 11/18/2022 21:13:00 UTC

References

• https://github.com/NodeBB/NodeBB/releases/tag/v2.5.8
• https://github.com/NodeBB/NodeBB/commit/2f9d8c350e54543f608d3d4c8e1a49bbb6cdea38
• https://vuldb.com/?id.213555
• https://github.com/NodeBB/NodeBB/issues/11017
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3978