January 23, 2022

TheCyberThrone

Thinking Security ! Always

NodeBB Vulnerability Could Lead RCE

Researchers have recently discovered critical flaws in the open source forum platform NodeBB might allow attackers to steal sensitive information and get access to admin accounts.

Advertisements

On GitHub, NodeBB is a JavaScript based forum software with over 12,000 stars. Researchers have discovered three unique flaws in the software that, if exploited, might result in remote code execution (RCE) on the underlying server. There are three software issues that have been identified by them.

They have discovered an authentication bypass vulnerability and a cross-site scripting (XSS) bug. The path traversal problem (CVE-2021-43788) allows users to read JSON files outside of the anticipated languages/ directory, allowing attackers to leak potentially sensitive files such as the NodeBB configuration or exported user profiles containing personally identifiable information.

Attackers can leverage the XSS vulnerability (CVE-2021-43787) to take control of user accounts, including admin accounts. Victims merely need to view a rogue user’s profile or a forum post to be hijacked.

Advertisements

Putting together the three flaws might allow remote code execution on a NodeBB server, independent of its settings. And more importantly, this can be done without a NodeBB account or any other information, implying that potential attackers can go after any instance on the internet. Hence, to protect themselves from these security weaknesses, NodeBB users should update to at least version 1.18.5.

%d bloggers like this: