CVE-2022-3978 MEDIUM

CVE-2022-3978: NodeBB abort cross-site request forgery

Vendor Unspecified
Product NodeBB
Weakness CWE-863 · Incorrect authorization
Published November 13, 2022
Last update April 15, 2025
View on NVD All CVEs

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

A vulnerability, which was classified as problematic, was found in NodeBB up to 2.5.7. This affects an unknown part of the file /register/abort. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to version 2.5.8 is able to address this issue. The name of the patch is 2f9d8c350e54543f608d3d4c8e1a49bbb6cdea38. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-213555.

Key dates

02Disclosure timeline

November 13, 2022 CVE published
April 15, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-23451 Elasticsearch Incorrect Authorization in the Remote Cluster Security API key based security model CVE-2023-5521 Incorrect Authorization in tiann/kernelsu CVE-2026-44561 Open WebUI: Deactivated Channel Members Retain Full Access to Group/DM Channels CVE-2026-32923 OpenClaw < 2026.3.11 - Authorization Bypass in Discord Guild Reaction Allowlist Enforcement CVE-2026-44330 free5GC: NEF nnef-pfdmanagement API is unauthenticated; forged bearer tokens can read PFD data and create/delete PFD subscriptions