CVE-2024-29316: Incorrect Access Control in NodeBB

March 29, 2024 (updated November 18, 2024)

In NodeBB prior to 3.6.7 an attacker was able to access the restricted tabs for the Admin group which are only allowed the the administrators.

References

github.com/NodeBB/NodeBB
github.com/advisories/GHSA-qc99-r4wh-c8h6
medium.com/%40krityamkarma858041/broken-access-control-nodebb-v3-6-7-eebc59c24deb
nodebb.org/bounty
nvd.nist.gov/vuln/detail/CVE-2024-29316

Code Behaviors & Features

Detect and mitigate CVE-2024-29316 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →