Flarum's Logout Route allows open redirects
CVE-2024-21641

6.5MEDIUM

Key Information:

Vendor

Flarum

Status
Framework
Vendor
CVE Published:
5 January 2024

What is CVE-2024-21641?

Flarum, an open-source discussion platform, was found to have a vulnerability related to its /logout route prior to version 1.8.5. The issue lies in a redirect parameter that can be manipulated by third parties, enabling unauthorized redirects of users from a trusted Flarum domain to potentially harmful links. While logged-in users must confirm their logout, guests are redirected immediately. This behavior can be exploited by spammers and malicious actors to leverage the trusted domain of a Flarum installation. Users are encouraged to update to flarum/core v1.8.5, where the vulnerability has been addressed. Additionally, certain extensions that modify the logout route may offer temporary workarounds if implemented securely.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

framework < 1.8.5

References

https://github.com/flarum/framework/security/advisories/G...
x_refsource_CONFIRM
https://github.com/flarum/flarum-core/commit/ee8b3b4ad141...
x_refsource_MISC
https://github.com/flarum/framework/commit/7d70328471cf30...
x_refsource_MISC

EPSS Score

32% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.