CVE-2023-43187
Published: 27 September 2023
Summary
CVE-2023-43187 is a critical-severity aka Blind XPath Injection (CWE-91) vulnerability in Nodebb Nodebb. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-43187 is a remote code execution vulnerability in the xmlrpc.php endpoint of NodeBB Inc NodeBB forum software prior to version 1.18.6. It arises from improper handling of XML-RPC input and is tracked under CWE-91, with a CVSS 3.1 base score of 9.8 reflecting network-accessible, unauthenticated attack conditions that can result in full confidentiality, integrity, and availability impact.
Unauthenticated remote attackers can exploit the flaw by submitting crafted XML-RPC requests to the exposed endpoint, enabling arbitrary code execution on the underlying server and potential full compromise of the forum installation.
The supplied references consist of GitHub repositories documenting the CVE without formal advisory or patch text; the version information in the CVE description indicates that upgrading to NodeBB 1.18.6 or later resolves the issue.
The associated EPSS values show a current score of 0.8770 against a recorded peak of 0.9011.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-47606
Vulnerability details
A remote code execution (RCE) vulnerability in the xmlrpc.php endpoint of NodeBB Inc NodeBB forum software prior to v1.18.6 allows attackers to execute arbitrary code via crafted XML-RPC requests.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.