Post mentions can be used to read any post on the forum without access control
CVE-2023-22487

7.7HIGH

Key Information:

Vendor: Flarum
Status: Framework
Vendor: CVE Published:; 11 January 2023

What is CVE-2023-22487?

The Flarum forum software contains a vulnerability within its mentions feature, allowing users to exploit URL injection into posts. This occurs through the syntax @"<username>"#p<id>, which indiscriminately inserts links to posts, potentially disclosing sensitive information even if the user lacks permissions. The vulnerability reveals the complete JSON:API payload of mentioned posts in the API responses, exposing content, dates, and various attributes without proper access control. An attacker only requires permission to create posts, making it feasible to misuse even under moderated conditions. This issue has been resolved in version 1.6.3; users are advised to disable the mentions extension as a temporary workaround.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

framework < 1.6.3

References

https://github.com/flarum/framework/security/advisories/G...

x_refsource_CONFIRM

https://github.com/flarum/framework/commit/ab1c868b978e8b...

x_refsource_MISC

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jan 11, 2023
Vulnerability Reserved
Dec 29, 2022

JSON

Flarum