CVE-2022-36045

Name of the Vulnerable Software and Affected Versions NodeBB Forum Software versions prior to 1.19.7 NodeBB Forum Software versions prior to 2.0.0

Description The utils.generateUUID helper function in NodeBB Forum Software uses a cryptographically insecure pseudo-random number generator (Math.random()), which allows an attacker to calculate the reset code for an account they do not have access to. This vulnerability impacts all installations of NodeBB and enables an attacker to take over any account without the involvement of the victim.

Recommendations For NodeBB Forum Software versions prior to 1.19.7, upgrade to version 1.19.7 or later. For NodeBB Forum Software versions prior to 2.0.0, upgrade to version 2.0.0 or later. As a temporary workaround, consider restricting access to the password reset functionality until a patch is applied. Note: There is no known workaround other than applying the patch sets listed above, which will fully patch the vulnerability.