Skip to content

NodeBB vulnerable to Cross-Site Request Forgery

Moderate severity GitHub Reviewed Published Nov 13, 2022 to the GitHub Advisory Database • Updated Jan 29, 2023

Package

npm nodebb (npm)

Affected versions

< 2.5.8

Patched versions

2.5.8

Description

A vulnerability was found in NodeBB up to 2.5.7. This affects an unknown part of the file /register/abort. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to version 2.5.8 is able to address this issue. The name of the patch is 2f9d8c350e54543f608d3d4c8e1a49bbb6cdea38. It is recommended to upgrade the affected component.

References

Published by the National Vulnerability Database Nov 13, 2022
Published to the GitHub Advisory Database Nov 13, 2022
Reviewed Nov 16, 2022
Last updated Jan 29, 2023

Severity

Moderate
4.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS score

0.103%
(43rd percentile)

Weaknesses

CVE ID

CVE-2022-3978

GHSA ID

GHSA-5gwx-wf9g-r5mx

Source code

No known source code
Checking history
See something to contribute? Suggest improvements for this vulnerability.