CVE-2020-15149
Summary
| CVE | CVE-2020-15149 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-08-20 01:17:00 UTC |
| Updated | 2021-11-18 18:34:00 UTC |
| Description | NodeBB before version 1.14.3 has a bug introduced in version 1.12.2 in the validation logic that makes it possible to change the password of any user on a running NodeBB forum by sending a specially crafted socket.io call to the server. This could lead to a privilege escalation event due via an account takeover. As a workaround you may cherry-pick the following commit from the project's repository to your running instance of NodeBB: 16cee1b03ba3eee177834a1fdac4aa8a12b39d2a. This is fixed in version 1.14.3. |
Risk And Classification
Problem Types: CWE-287
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Account takeover via password change request · Advisory · NodeBB/NodeBB · GitHub | CONFIRM | github.com | Patch, Third Party Advisory |
| Proof of Concept exploit for CVE-2020-15149 – NodeBB Arbitrary User Password Change – ZeroAuth | MISC | zeroauth.ltd | Third Party Advisory |
| fix: improper targetUid check during password change · NodeBB/NodeBB@c2477d9 · GitHub | MISC | github.com | Patch, Third Party Advisory |
| NodeBB Forum 1.14.2 Account Takeover ≈ Packet Storm | MISC | packetstormsecurity.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.