Improper access control in Flarum

#VU71384 Improper access control in Flarum

Published: 2023-01-20

Vulnerability identifier: #VU71384

Vulnerability risk: Medium

CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-22487

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Flarum
Web applications / Other software

Vendor: Flarum

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote user can bypass implemented security restrictions and read any post on the forum.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Flarum: 1.0.0 - 1.6.2

External links
http://github.com/flarum/framework/commit/ab1c868b978e8b0d09a5d682c54665dae17d0985
http://github.com/flarum/framework/security/advisories/GHSA-22m9-m3ww-53h3

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Flarum