We are notifying you today about a security vulnerability that was present in older versions of NodeBB. We were notified of these vulnerabilities on 25 May 2022, and have patched and released fixed versions of NodeBB, v2.0.1 and v1.19.8, three days later, on 28 May.
The specifics of this vulnerability are available upon request, but they are considered critical and affect the security of any site running an affected version of NodeBB. Admins are urged to upgrade to these patched versions as soon as possible.
Alternatively, the following changesets can be cherry-picked into your installation of NodeBB in lieu of a full upgrade:v2.x https://github.com/NodeBB/NodeBB/commit/e802fab87f94a13f397f04cfe6068f2f7ddf7888 v1.19.x https://github.com/NodeBB/NodeBB/commit/81e3c1ba488d03371a5ce8d0ebb5c5803026e0f9
As always, the NodeBB team is available at your disposal to answer any questions or provide assistance in implementing these changesets.For more information on the security vulnerability, please visit the GitHub Security Advisory page for this disclosure 0 barisusakli committed to NodeBB/NodeBB fix: get rid of math.random in utils.generateUUID 0 barisusakli committed to NodeBB/NodeBB fix: get rid of math.random in generateUUID