Proof of Concept exploit for CVE-2020-15149 – NodeBB Arbitrary User Password Change

CVE Description
NodeBB before version 1.14.3 has a bug introduced in version 1.12.2 in the validation logic that makes it possible to change the password of any user on a running NodeBB forum by sending a specially crafted socket.io call to the server. This could lead to a privilege escalation event due via an account takeover.

Exploit
Using Chrome Dev-Tools, its possible to execute the socket.emit function “user.changePassword” that is present on the Edit Password page, the backend will accept the password change to the TARGET_UID_HERE.

Proof of Concept