They have discovered an authentication bypass vulnerability and a cross-site scripting (XSS) bug.
The path traversal problem (CVE-2021-43788) allows users to read JSON files outside of the anticipated languages/ directory, allowing attackers to leak potentially sensitive files such as the NodeBB configuration or exported user profiles containing personally identifiable information.
Attackers can leverage the XSS vulnerability (CVE-2021-43787) to take control of user accounts, including admin accounts. Victims merely need to view a rogue user’s profile or a forum post to be hijacked.
When combined, the three flaws might allow remote code execution on a NodeBB server, independent of its settings. And more importantly, this can be done without a NodeBB account or any other information, implying that potential attackers can go after any instance on the internet. Hence, to protect themselves from these security weaknesses, NodeBB users should update to at least version 1.18.5.
Full technical details of the vulnerabilities, which have been corrected in the newest version, may be found in a blog post from SonarSource.