Privilege Escalation via Account Takeover on NodeBB Forum Software — Bug Bounty (512$) — CVE-2020–15149

Muhammed Eren Uygun
InfoSec Write-ups
Published in
3 min readSep 19, 2020


Hello Guys !

I hope you all doing well. ✌️

About a month ago, I told you that I found an Account Takeover vulnerability in a web application as in the screenshot below. With the new patch coming to the web application with the vulnerability, I can now share with you how I found the vulnerability.

This is my first bug bounty write-up so im writing P1 qualified vulnerability.,

Lets talk about it.

bug bounty reward mail

When I made the tests for NodeBB forum software, I found that the password of the every user account can be changed.

Now I will tell you the steps to exploit this vulnerability.

  1. First of all, to determine the “admin” user’s uid :*

I tried numbers on the place marked with an asterisk(*) and I find that the uid value of the admin account is 1. ->

taking admin account

2- I created a user whose name is “testuser1” for myself.

created account

3- I went to the password change page from my user profile and i entered our current password in the first box.Then I wrote in the second and third boxes that the passwords which we want to change.

password change

4- Then, before press the submit button, I opened the Burp Suite, which has a proxy options and I replaced the uid value on the request with 1, which is the uid value of the admin user, and I sent the request.


5- I wrote “admin” in the user name box and the password i wrote in step 5 in the password box.

admin password change

6- Thus, I obtained the account of the “admin” user.

admin account

Thus, thanks to this vulnerability I found in NodeBB company, I won a prize of 512 Dollars. 🏆🏆🏆

You can click the link below to view the NodeBB Forum Software’s Hall of Fame list.

Below is the link to the github page, which contains information that the vulnerability has been closed.

I hope you guys learn something from it and if so give a high five. ✋

Thank you for reading my article. You can reach me at the links below.

Healthy days ! 😷