Impact
A bug in our validation logic made it possible to change the password of any user on a running NodeBB forum by sending a specially crafted socket.io call to the server. This could lead to a privilege escalation event due via an account takeover.
Patches
The issue has been patched as of v1.14.3
Workarounds
Cherry-pick the following commit to your running instance of NodeBB: 16cee1b
Impact
A bug in our validation logic made it possible to change the password of any user on a running NodeBB forum by sending a specially crafted socket.io call to the server. This could lead to a privilege escalation event due via an account takeover.
Patches
The issue has been patched as of v1.14.3
Workarounds
Cherry-pick the following commit to your running instance of NodeBB: 16cee1b