Vulnerability identifier: #VU46357
Vulnerability risk: Medium
CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-269
Exploitation vector: Network
Exploit availability: Yes
Vulnerable software:
NodeBB
Web applications /
Forum & blogging software
Vendor: NodeBB
Description
The vulnerability allows a remote authenticated user to escalate privileges within the application.
NodeBB before version 1.14.3 has a bug introduced in version 1.12.2 in the validation logic that makes it possible to change the password of any user on a running NodeBB forum by sending a specially crafted socket.io call to the server. This could lead to a privilege escalation event due via an account takeover.
Mitigation
Install update from vendor's website.
Vulnerable software versions
NodeBB: 1.12.2 - 1.14.2
External links
http://github.com/NodeBB/NodeBB/commit/c2477d9d5ffc43e5ffeb537ea2ceb4ce9592aa39
http://github.com/NodeBB/NodeBB/security/advisories/GHSA-hr66-c8pg-5mg7
http://zeroauth.ltd/blog/2020/08/20/proof-of-concept-exploit-for-cve-2020-15149-nodebb-arbitrary-user-password-change/
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.