Skip to content
May 20, 2025
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Primary Menu
  • Home
  • Cyber Security
  • Cybercriminals
  • Data Leak
  • Linux
  • Malware Attack
  • Open Source Tool
  • Technology
  • Vulnerability
  • Home
  • News
  • Vulnerability
  • CVE-2022-46164: Account Takeover Vulnerability Found in NodeBB
  • Vulnerability

CVE-2022-46164: Account Takeover Vulnerability Found in NodeBB

Ddos December 5, 2022 2 min read
CVE-2022-46164

Maintainers of the NodeBB project have moved to address a critical security vulnerability in its service that, if successfully exploited, could result in an account takeover.

Tracked as CVE-2022-46164, the issue has a CVSS severity score of 9.4. The security flaw affects all versions of NodeBB Forum Software prior < 2.6.1.

CVE-2022-46164

NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. It utilizes web sockets for instant interactions and real-time notifications. NodeBB takes the best of the modern web: real-time streaming discussions, mobile responsiveness, and rich RESTful read/write APIs while staying true to the original bulletin board/forum format → categorical hierarchies, local user accounts, and asynchronous messaging.

“Due to a plain object with a prototype being used in socket.io message handling a specially crafted payload can be used to impersonate other users and takeover accounts,” according to GitHub advisory.

Prototype pollution is a JavaScript vulnerability that enables an attacker to add arbitrary properties to global object prototypes, which may then be inherited by user-defined objects[1]. Prototype pollution vulnerabilities typically arise when a JavaScript function recursively merges an object containing user-controllable properties into an existing object, without first sanitizing the keys.

Forum administrators running an affected installation of the aforementioned bugs are recommended to upgrade to the latest NodeBB version (v2.6.1) version as soon as possible. NodeBB has offered workarounds in its guidance to patch the exploiting CVE-2022-46164.

Rate this post

Found this helpful?

If this article helped you, please share it with others who might benefit.

Tags: CVE-2022-46164 NodeBB

Continue Reading

Previous: CVE-2022-46169: Critical vulnerability affects Cacti network graphing solution
Next: CVE-2022-45313: Mikrotik RouterOs flaw can lead to execute arbitrary code

Search

💙 Support Us!
We need 50 contributors this month to keep this site running.
14 of 50 supporters this month
☕ Buy Me a Coffee PayPalDonate
Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • Disclaimer
    • Privacy Policy
    • DMCA NOTICE
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    Copyright © All rights reserved.
    x