Researchers have recently discovered critical flaws in the open source forum platform NodeBB might allow attackers to steal sensitive information and get access to admin accounts.
They have discovered an authentication bypass vulnerability and a cross-site scripting (XSS) bug. The path traversal problem (CVE-2021-43788) allows users to read JSON files outside of the anticipated languages/ directory, allowing attackers to leak potentially sensitive files such as the NodeBB configuration or exported user profiles containing personally identifiable information.
Attackers can leverage the XSS vulnerability (CVE-2021-43787) to take control of user accounts, including admin accounts. Victims merely need to view a rogue user’s profile or a forum post to be hijacked.
Putting together the three flaws might allow remote code execution on a NodeBB server, independent of its settings. And more importantly, this can be done without a NodeBB account or any other information, implying that potential attackers can go after any instance on the internet. Hence, to protect themselves from these security weaknesses, NodeBB users should update to at least version 1.18.5.