CVE-2022-36076

Name of the Vulnerable Software and Affected Versions NodeBB Forum Software versions prior to 1.17.2

Description The issue is caused by an unnecessarily strict conditional in the code handling the first step of the Single Sign-On (SSO) process. This conditional inadvertently rendered the pre-existing logic that added and checked a nonce as opt-in instead of opt-out, re-exposing a vulnerability. A specially crafted Man-in-the-Middle (MITM) attack could theoretically take over another user account during the single sign-on process.

Recommendations For NodeBB Forum Software versions prior to 1.17.2, update to version 1.17.2 to fully patch the issue. As a temporary workaround, site maintainers can cherry-pick the patch commit into their codebase to patch the exploit.