CVE-2022-46164

EPSS 48.99%
Veröffentlicht 05.12.2022 21:15:10
Zuletzt bearbeitet 21.11.2024 07:30:14
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Account takeover via prototype vulnerability

NodeBB is an open source Node.js based forum software. Due to a plain object with a prototype being used in socket.io message handling a specially crafted payload can be used to impersonate other users and takeover accounts. This vulnerability has been patched in version 2.6.1. Users are advised to upgrade. Users unable to upgrade may cherry-pick commit `48d143921753914da45926cca6370a92ed0c46b8` into their codebase to patch the exploit.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nodebb ≫ Nodebb Version < 2.6.1

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	48.99%	0.987

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	9.4	3.9	5.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CWE-665 Improper Initialization

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

https://github.com/NodeBB/NodeBB/commit/48d143921753914da45926cca6370a92ed0c46b8

Patch

Third Party Advisory

https://github.com/NodeBB/NodeBB/security/advisories/GHSA-rf3g-v8p5-p675

Patch

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-46164

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-46164

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-46164

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2022-46164