CVE-2022-3978

Exploit

EPSS 0.13%
Veröffentlicht 13.11.2022 14:15:10
Zuletzt bearbeitet 21.11.2024 07:20:39
Quelle cna@vuldb.com
CVE-Watchlists
Login
Unerledigt
Login

A vulnerability, which was classified as problematic, was found in NodeBB up to 2.5.7. This affects an unknown part of the file /register/abort. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to version 2.5.8 is able to address this issue. The name of the patch is 2f9d8c350e54543f608d3d4c8e1a49bbb6cdea38. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-213555.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nodebb ≫ Nodebb Version < 2.5.8

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.13%	0.328

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
cna@vuldb.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://github.com/NodeBB/NodeBB/commit/2f9d8c350e54543f608d3d4c8e1a49bbb6cdea38

Patch

Third Party Advisory

https://github.com/NodeBB/NodeBB/issues/11017

Third Party Advisory

Exploit

Issue Tracking

https://github.com/NodeBB/NodeBB/releases/tag/v2.5.8

Third Party Advisory

Release Notes

https://vuldb.com/?id.213555

Third Party Advisory