CVE-2022-35921 User preference to prevent private discussions not respected in fof/byobu

2022-08-0121:50:10

CWE-269

GitHub_M

www.cve.org

cve-2022-35921

user privacy

fof/byobu

flarum forum

extension

update

patched

upgrade

impact

disablement

workaround

CVSS3

3.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

AI Score

Confidence

High

EPSS

0.001

Percentile

19.4%

JSON

fof/byobu is a private discussions extension for Flarum forum. Affected versions were found to not respect private discussion disablement by users. Users of Byobu should update the extension to version 1.1.7, where this has been patched. Users of Byobu with Flarum 1.0 or 1.1 should upgrade to Flarum 1.2 or later, or evaluate the impact this issue has on your forum’s users and choose to disable the extension if needed. There are no workarounds for this issue.

CNA Affected

[
  {
    "product": "byobu",
    "vendor": "FriendsOfFlarum",
    "versions": [
      {
        "status": "affected",
        "version": ">=0.3.0-beta.2, < 1.1.7"
      }
    ]
  }
]