Researchers from SonarSource have recently warned that critical flaws in the open source forum platform NodeBB might allow attackers to steal sensitive information and get access to admin accounts. On GitHub, NodeBB is a JavaScript based forum software with over 12,000 stars. Researchers have discovered three unique flaws in the software that, if exploited, might result in remote code execution (RCE) on the underlying server. There are three software issues that have been identified by them.
They have discovered an authentication bypass vulnerability and a cross-site scripting (XSS) bug.
The path traversal problem (CVE-2021-43788) allows users to read JSON files outside of the anticipated languages/ directory, allowing attackers to leak potentially sensitive files such as the NodeBB configuration or exported user profiles containing personally identifiable information.
Attackers can leverage the XSS vulnerability (CVE-2021-43787) to take control of user accounts, including admin accounts. Victims merely need to view a rogue user’s profile or a forum post to be hijacked.
When combined, the three flaws might allow remote code execution on a NodeBB server, independent of its settings. And more importantly, this can be done without a NodeBB account or any other information, implying that potential attackers can go after any instance on the internet. Hence, to protect themselves from these security weaknesses, NodeBB users should update to at least version 1.18.5.
Full technical details of the vulnerabilities, which have been corrected in the newest version, may be found in a blog post from SonarSource.