GHSA-67C6-Q4J4-HCCG Flarum vulnerable to LFI and Blind SSRF via Avatar upload

Impact The Flarum forum software is affected by a vulnerability that allows an attacker to conduct a Blind SSRF attack or disclose any file on the server, even with a basic user account on any Flarum forum. By uploading a file containing a URL and spoofing the MIME type, an attacker can manipulat...

PT-2023-7222 · Flarum +1 · Flarum +1

Name of the Vulnerable Software and Affected Versions: Flarum versions prior to 1.8.0 Description: The issue allows an attacker to conduct a Blind Server-Side Request Forgery SSRF attack or disclose any file on the server, even with a basic user account on any Flarum forum. This is due to the...