3 matches found
CVE-2023-22487
Flarum is a forum software for building communities. Using the mentions feature provided by the flarum/mentions extension, users can mention any post ID on the forum with the special @""p syntax. The following behavior never changes no matter if the actor should be able to read the mentioned post...
CVE-2023-22487 Post mentions can be used to read any post on the forum without access control
Flarum is a forum software for building communities. Using the mentions feature provided by the flarum/mentions extension, users can mention any post ID on the forum with the special @""p syntax. The following behavior never changes no matter if the actor should be able to read the mentioned post...
CVE-2023-22487
Concrete details show that Flarum, via the flarum/mentions extension, leaks the full JSON:API payload of all mentioned posts in certain API responses (POST /api/posts, PATCH /api/posts/) regardless of access rights. Affected are all Flarum versions prior to 1.6.3; mitigation is to upgrade to flar...