CVE-2023-2850

Name of the Vulnerable Software and Affected Versions NodeBB versions prior to 2.8.13 NodeBB versions prior to 3.1.3

Description The issue is related to a Cross-Site WebSocket Hijacking vulnerability due to missing validation of the request origin. This allows certain user information to be extracted by an attacker. Private messages or posts might be leaked to third parties if the victim opens the attacker's site while browsing NodeBB.

Recommendations For NodeBB versions prior to 2.8.13, update to version 2.8.13 or later. For NodeBB versions prior to 3.1.3, update to version 3.1.3 or later. As a temporary workaround for users on v3.x, consider cherry-picking https://github.com/NodeBB/NodeBB/commit/51096ad2345fb1d1380bec0a447113489ef6c359. For users running v2.x of NodeBB, consider cherry-picking a5d92da9ddac5607ab7f737520a66eaed6d3ddee followed by 62e162cf1e735e42462be1db9b4954b5a69accdf to mitigate the issue.