SB2023012021 - Multiple vulnerabilities in Flarum

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Improper access control (CVE-ID: CVE-2023-22487)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote user can bypass implemented security restrictions and read any post on the forum.

2) Missing Authorization (CVE-ID: CVE-2023-22488)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to missing authorization in the notification-sending component. A remote user can obtain sensitive information from notifications.

3) Missing Authorization (CVE-ID: CVE-2023-22489)

The vulnerability allows a remote user to bypass reply restrictions and post replies in public discussions.

The vulnerability exists due to improper access control in the Flarum REST API when creating replies to a visible discussion whose first post was permanently deleted. A remote user can send a reply creation request to bypass reply restrictions and post replies in public discussions.

The issue occurs only if the discussion remains visible after the first post is deleted, such as when it still has at least one approved reply. User interaction is required because the user must submit a reply.

Remediation

Install update from vendor's website.

References

• https://github.com/flarum/framework/commit/ab1c868b978e8b0d09a5d682c54665dae17d0985
• https://github.com/flarum/framework/security/advisories/GHSA-22m9-m3ww-53h3
• https://github.com/flarum/framework/commit/d0a2b95dca57d3dae9a0d77b610b1cb1d0b1766a
• https://github.com/flarum/framework/security/advisories/GHSA-8gcg-vwmw-rxj4
• https://github.com/flarum/framework/security/advisories/GHSA-hph3-hv3c-7725
• https://github.com/advisories/GHSA-hph3-hv3c-7725