CVE-2022-3978

Public Exploit

NodeBB abort cross-site request forgery

Description

A vulnerability, which was classified as problematic, was found in NodeBB up to 2.5.7. This affects an unknown part of the file /register/abort. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to version 2.5.8 is able to address this issue. The name of the patch is 2f9d8c350e54543f608d3d4c8e1a49bbb6cdea38. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-213555.

References

Link	Tags
https://github.com/NodeBB/NodeBB/issues/11017	issue tracking exploit third party advisory
https://github.com/NodeBB/NodeBB/releases/tag/v2.5.8	third party advisory release notes
https://github.com/NodeBB/NodeBB/commit/2f9d8c350e54543f608d3d4c8e1a49bbb6cdea38	third party advisory patch
https://vuldb.com/?id.213555	third party advisory

Frequently Asked Questions

What is the severity of CVE-2022-3978?: CVE-2022-3978 has been scored as a medium severity vulnerability.
How to fix CVE-2022-3978?: To fix CVE-2022-3978, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-3978 being actively exploited in the wild?: It is possible that CVE-2022-3978 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-3978?: CVE-2022-3978 affects unspecified NodeBB.

Description

Categories

CWE-863 – Incorrect Authorization

CWE-352 – Cross-Site Request Forgery (CSRF)

References

Frequently Asked Questions