Nodebb

Nodebb

19 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
8.6

CVE-2025-50979

Exploit
  • EPSS 0.15%
  • Veröffentlicht 27.08.2025 00:00:00
  • Zuletzt bearbeitet 09.09.2025 18:45:06

NodeBB v4.3.0 is vulnerable to SQL injection in its search-categories API endpoint (/api/v3/search/categories). The search query parameter is not properly sanitized, allowing unauthenticated, remote attackers to inject boolean-based blind and Postgre...

6.1

CVE-2025-29513

  • EPSS 0.33%
  • Veröffentlicht 18.04.2025 00:00:00
  • Zuletzt bearbeitet 23.04.2025 17:24:54

Cross-Site Scripting (XSS) vulnerability in NodeBB v4.0.4 and before allows remote attackers to store arbitrary code in the admin API Access token generator.

6.1

CVE-2025-29512

  • EPSS 0.17%
  • Veröffentlicht 18.04.2025 00:00:00
  • Zuletzt bearbeitet 23.04.2025 17:28:01

Cross-Site Scripting (XSS) vulnerability in NodeBB v4.0.4 and before allows remote attackers to store arbitrary code and potentially render the blacklist IP functionality unusable until content is removed via the database.

4.6

CVE-2024-57041

Exploit
  • EPSS 4.75%
  • Veröffentlicht 24.01.2025 20:15:33
  • Zuletzt bearbeitet 27.06.2025 19:33:21

A persistent cross-site scripting (XSS) vulnerability in NodeBB v3.11.0 allows remote attackers to store arbitrary code in the 'about me' section of their profile.

6.3

CVE-2024-29316

  • EPSS 0.07%
  • Veröffentlicht 28.03.2024 23:15:46
  • Zuletzt bearbeitet 30.06.2025 12:18:59

NodeBB 3.6.7 is vulnerable to Incorrect Access Control, e.g., a low-privileged attacker can access the restricted tabs for the Admin group via "isadmin":true.

7.5

CVE-2023-30591

  • EPSS 1.79%
  • Veröffentlicht 29.09.2023 06:15:09
  • Zuletzt bearbeitet 21.11.2024 08:00:28

Denial-of-service in NodeBB <= v2.8.10 allows unauthenticated attackers to trigger a crash, when invoking `eventName.startsWith()` or `eventName.toString()`, while processing Socket.IO messages via crafted Socket.IO messages containing array or objec...

9.8

CVE-2023-43187

Exploit
  • EPSS 90.11%
  • Veröffentlicht 27.09.2023 15:19:33
  • Zuletzt bearbeitet 21.11.2024 08:23:47

A remote code execution (RCE) vulnerability in the xmlrpc.php endpoint of NodeBB Inc NodeBB forum software prior to v1.18.6 allows attackers to execute arbitrary code via crafted XML-RPC requests.

4.7

CVE-2023-2850

  • EPSS 0.13%
  • Veröffentlicht 25.07.2023 12:15:10
  • Zuletzt bearbeitet 21.11.2024 07:59:25

NodeBB is affected by a Cross-Site WebSocket Hijacking vulnerability due to missing validation of the request origin. Exploitation of this vulnerability allows certain user information to be extracted by attacker.

9.8

CVE-2023-26045

  • EPSS 0.3%
  • Veröffentlicht 24.07.2023 22:15:10
  • Zuletzt bearbeitet 21.11.2024 07:50:39

NodeBB is Node.js based forum software. Starting in version 2.5.0 and prior to version 2.8.7, due to the use of the object destructuring assignment syntax in the user export code path, combined with a path traversal vulnerability, a specially crafted...

9.8

CVE-2022-46164

  • EPSS 56.84%
  • Veröffentlicht 05.12.2022 21:15:10
  • Zuletzt bearbeitet 21.11.2024 07:30:14

NodeBB is an open source Node.js based forum software. Due to a plain object with a prototype being used in socket.io message handling a specially crafted payload can be used to impersonate other users and takeover accounts. This vulnerability has be...