SCA: security update for nodebb (GHSA-vh2g-6c4x-5hmp)

critical Tenable Self-Hosted Container Security Plugin ID 419339

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- NodeBB is Node.js based forum software. Starting in version 2.5.0 and prior to version 2.8.7, due to the
use of the object destructuring assignment syntax in the user export code path, combined with a path
traversal vulnerability, a specially crafted payload could invoke the user export logic to arbitrarily
execute javascript files on the local disk. This issue is patched in version 2.8.7. As a workaround, site
maintainers can cherry pick the fix into their codebase to patch the exploit. (CVE-2023-26045)

See Also

https://github.com/advisories/GHSA-vh2g-6c4x-5hmp

Plugin Details

Severity: Critical

ID: 419339

Version: Revision 1.11

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 97.07

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-26045

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 7/25/2023

Vulnerability Publication Date: 7/24/2023

Reference Information

CVE: CVE-2023-26045

cwe: CWE-22