CVE-2022-36076: 0-day NodeBB Account Takeover Vulnerability

If you are running an online discussion forum based on NodeBB software, make sure it has been updated to install a newly issued security patch that fixes two critical vulnerabilities.

Maintainers of the NodeBB project recently announced two security advisories to reveal information on the underlying security vulnerability, identified as CVE-2022-36076 and CVE-2022-36045.

NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. It utilizes web sockets for instant interactions and real-time notifications. NodeBB takes the best of the modern web: real-time streaming discussions, mobile responsiveness, and rich RESTful read/write APIs while staying true to the original bulletin board/forum format → categorical hierarchies, local user accounts, and asynchronous messaging.

Discovered by security researcher Mar0uane, the first vulnerability tracked as CVE-2022-36076, is an account takeover via SSO plugins flaw. “Due to an unnecessarily strict conditional in the code handling the first step of the SSO process, the pre-existing logic that added (and later checked) a nonce was inadvertently rendered opt-in instead of opt-out. This re-exposed a vulnerability in that a specially crafted MITM attack could theoretically take over another user account during the single sign-on process,” NodeBB writes. The issue has been fully patched as of v1.17.2. The researcher released the write-up.

The second flaw tracked as CVE-2022-36045 is an account takeover via cryptographically weak PRNG in the `utils.generateUUID` bug which was found by HakuPiku. The flaw affects NodeBB version 2.0.0, and prior <=1.19.7. “This vulnerability impacts all installations of NodeBB. The vulnerability allows for an attacker to take over any account without the involvement of the victim, and as such, the remediation should be applied immediately (either via NodeBB upgrade or cherry-pick of the specific changeset,” NodeBB writes.

Forum administrators are advised to download and install the latest NodeBB version (v2.5.2) as soon as possible.