Lucene search

GitHub Advisory DatabaseGHSA-6GJM-6WJ6-4PX5

HistoryAug 06, 2022 - 5:20 a.m.

Byobu user preference to prevent private discussions being started are not respected

2022-08-0605:20:52

CWE-269

CWE-863

GitHub Advisory Database

github.com

byobu

user preference

private discussions

update

flarum core

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

19.4%

JSON

Impact

Users electing to prevent others starting private discussions with themselves.

> Please note that admins and others with appropriate permissions can always bypass this preference, as was the case before.

Patches

Users of Byobu should update the extension to version 1.1.7, where this has been patched. This version is only supported on v1.2.0 and later of Flarum Core.

Users of Byobu with Flarum 1.0 or 1.1 should upgrade to Flarum 1.2 or later, or evaluate the impact this issue has on your forum’s users and choose to disable the extension if needed.

Workarounds

There are no workarounds for this issue.

Affected configurations

Vulners

Node

fofbyobuRange0.3.0-beta.2–1.1.7

VendorProductVersionCPE
fofbyobu*cpe:2.3:a:fof:byobu:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
fof	byobu	*	cpe:2.3:a:fof:byobu::::::::

References

github.com/advisories/GHSA-6gjm-6wj6-4px5

github.com/FriendsOfFlarum/byobu/commit/23dcf93a30f948d30c678a96681f7fdefeba5171

github.com/FriendsOfFlarum/byobu/security/advisories/GHSA-6gjm-6wj6-4px5

nvd.nist.gov/vuln/detail/CVE-2022-35921

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

19.4%

JSON

Related for GHSA-6GJM-6WJ6-4PX5