Advisories for Composer/Flarum/Framework package

2024

URL Redirection to Untrusted Site ('Open Redirect')

Flarum is open source discussion platform software. Prior to version 1.8.5, the Flarum /logout route includes a redirect parameter that allows any third party to redirect users from a (trusted) domain of the Flarum installation to redirect to any link. For logged-in users, the logout must be confirmed. Guests are immediately redirected. This could be used by spammers to redirect to a web address using a trusted domain of a …

2023

Server-Side Request Forgery (SSRF)

Flarum is an open source forum software. Flarum is affected by a vulnerability that allows an attacker to conduct a Blind Server-Side Request Forgery (SSRF) attack or disclose any file on the server, even with a basic user account on any Flarum forum. By uploading a file containing a URL and spoofing the MIME type, an attacker can manipulate the application to execute unintended actions. The vulnerability is due to …

2022

Exposure of Sensitive Information to an Unauthorized Actor

In Flarum Core 0.1.0-beta.7.1, a serious leak can get everyone's email address.