CVE-2022-46164

EPSS 56.84%
Veröffentlicht 05.12.2022 21:15:10
Zuletzt bearbeitet 21.11.2024 07:30:14
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

NodeBB is an open source Node.js based forum software. Due to a plain object with a prototype being used in socket.io message handling a specially crafted payload can be used to impersonate other users and takeover accounts. This vulnerability has been patched in version 2.6.1. Users are advised to upgrade. Users unable to upgrade may cherry-pick commit `48d143921753914da45926cca6370a92ed0c46b8` into their codebase to patch the exploit.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nodebb ≫ Nodebb Version < 2.6.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	56.84%	0.981

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	9.4	3.9	5.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CWE-665 Improper Initialization

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

https://github.com/NodeBB/NodeBB/commit/48d143921753914da45926cca6370a92ed0c46b8

Patch

Third Party Advisory

https://github.com/NodeBB/NodeBB/security/advisories/GHSA-rf3g-v8p5-p675

Patch

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-46164

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-46164

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-46164

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2022-46164