Skip to content

Account takeover via password change request

Critical
julianlam published GHSA-hr66-c8pg-5mg7 Aug 17, 2020

Package

nodebb

Affected versions

1.12.2-1.14.2

Patched versions

1.14.3+

Description

Impact

A bug in our validation logic made it possible to change the password of any user on a running NodeBB forum by sending a specially crafted socket.io call to the server. This could lead to a privilege escalation event due via an account takeover.

Patches

The issue has been patched as of v1.14.3

Workarounds

Cherry-pick the following commit to your running instance of NodeBB: 16cee1b

Severity

Critical

CVE ID

CVE-2020-15149

Weaknesses

No CWEs