A bug in our socket.io authentication code can result in Cross-Site WebSocket Hijacking (CSWSH)
Affected versions <2.8.13 & <3.1.3
We have resolved this in the latest version of NodeBB(2.8.13 & 3.1.3), and the fix has already been rolled out as a patch on all of our hosted customers.
The fix is included in the latest 2.8.13 & 3.1.3 releases
Node.js based forum software built for the modern web - Release 2.8.13 · NodeBB/NodeBBfavicon
Release v3.1.3 · NodeBB/NodeBB
Node.js based forum software built for the modern web - Release v3.1.3 · NodeBB/NodeBBfavicon