Main Vulnerability Database SB2022082431

SB2022082431 - Arbitrary account takeover in NodeBB

Published: August 24, 2022

Security Bulletin ID SB2022082431

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CVE-ID: CVE-2022-36045)

The vulnerability allows a remote attacker to compromise the affected application.

The vulnerability exists due to usage of weak pseudo-random number generator within the utils.generateUUID function. A remote attacker can use multiple invocations of the password reset functionality to correctly calculate the reset code and take over an arbitrary account on the website.

Remediation

Install update from vendor's website.

References

https://github.com/NodeBB/NodeBB/security/advisories/GHSA-p4cc-w597-6cpm