Unintentional leakage of private information via cross-origin websocket session hijacking

Critical

julianlam published GHSA-4qcv-qf38-5j3j

Jul 24, 2023

Package

nodebb (npm)

Affected versions

3.0.0 - 3.1.2, < 2.8.13

Patched versions

3.1.3, 2.8.13

Description

Impact

Private messages or posts might be leaked to third parties if victim opens the attackers site while browsing nodebb.

Patches

Patched in v3.1.3
Backported to v2.x line via v2.8.13

Workarounds

Users can cherry-pick 51096ad if they are on v3.x

If you are running v2.x of NodeBB, you can cherry-pick a5d92da followed by 62e162c