{"id":"GHSA-4qcv-qf38-5j3j","summary":"Unintentional leakage of private information via cross-origin websocket session hijacking","details":"### Impact\n\nPrivate messages or posts might be leaked to third parties if victim opens the attackers site while browsing nodebb.\n\n### Patches\n\n* Patched in v3.1.3\n* Backported to v2.x line via v2.8.13\n\n### Workarounds\n\nUsers can cherry-pick https://github.com/NodeBB/NodeBB/commit/51096ad2345fb1d1380bec0a447113489ef6c359 if they are on v3.x\n\nIf you are running v2.x of NodeBB, you can cherry-pick a5d92da9ddac5607ab7f737520a66eaed6d3ddee followed by 62e162cf1e735e42462be1db9b4954b5a69accdf\n","aliases":["CVE-2023-2850"],"modified":"2026-02-04T02:20:23.769279Z","published":"2023-07-25T18:04:28Z","related":["CVE-2023-2850"],"database_specific":{"severity":"MODERATE","cwe_ids":["CWE-1385","CWE-346"],"github_reviewed":true,"github_reviewed_at":"2023-07-25T18:04:28Z","nvd_published_at":"2023-07-25T12:15:10Z"},"references":[{"type":"WEB","url":"https://github.com/NodeBB/NodeBB/security/advisories/GHSA-4qcv-qf38-5j3j"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-2850"},{"type":"WEB","url":"https://github.com/NodeBB/NodeBB/commit/51096ad2345fb1d1380bec0a447113489ef6c359"},{"type":"WEB","url":"https://github.com/NodeBB/NodeBB/commit/62e162cf1e735e42462be1db9b4954b5a69accdf"},{"type":"WEB","url":"https://github.com/NodeBB/NodeBB/commit/a5d92da9ddac5607ab7f737520a66eaed6d3ddee"},{"type":"PACKAGE","url":"https://github.com/NodeBB/NodeBB"},{"type":"WEB","url":"https://github.com/NodeBB/NodeBB/releases/tag/v3.1.3"}],"affected":[{"package":{"name":"nodebb","ecosystem":"npm","purl":"pkg:npm/nodebb"},"ranges":[{"type":"SEMVER","events":[{"introduced":"3.0.0"},{"fixed":"3.1.3"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-4qcv-qf38-5j3j/GHSA-4qcv-qf38-5j3j.json"}},{"package":{"name":"nodebb","ecosystem":"npm","purl":"pkg:npm/nodebb"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.8.13"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-4qcv-qf38-5j3j/GHSA-4qcv-qf38-5j3j.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N"}]}