Vulnerability identifier: #VU46357

Vulnerability risk: Medium

CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-15149

CWE-ID: CWE-269

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
NodeBB
Web applications / Forum & blogging software

Vendor: NodeBB

Description

The vulnerability allows a remote authenticated user to escalate privileges within the application.

NodeBB before version 1.14.3 has a bug introduced in version 1.12.2 in the validation logic that makes it possible to change the password of any user on a running NodeBB forum by sending a specially crafted socket.io call to the server. This could lead to a privilege escalation event due via an account takeover.

Mitigation
Install update from vendor's website.

Vulnerable software versions

NodeBB: 1.12.2 - 1.14.2

---

External links
http://github.com/NodeBB/NodeBB/commit/c2477d9d5ffc43e5ffeb537ea2ceb4ce9592aa39
http://github.com/NodeBB/NodeBB/security/advisories/GHSA-hr66-c8pg-5mg7
http://zeroauth.ltd/blog/2020/08/20/proof-of-concept-exploit-for-cve-2020-15149-nodebb-arbitrary-user-password-change/

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.