15 matches found
CVE-2023-40033
Flarum is an open source forum software. Flarum is affected by a vulnerability that allows an attacker to conduct a Blind Server-Side Request Forgery SSRF attack or disclose any file on the server, even with a basic user account on any Flarum forum. By uploading a file containing a URL and spoofi...
CVE-2023-22489
Flarum is a discussion platform for websites. If the first post of a discussion is permanently deleted but the discussion stays visible, any actor who can view the discussion is able to create a new reply via the REST API, no matter the reply permission or lock status. This includes users that...
CVE-2021-32671
Flarum is a forum software for building communities. Flarum's translation system allowed for string inputs to be converted into HTML DOM nodes when rendered. This change was made after v0.1.0-beta.16 our last beta before v1.0.0 and was not noticed or documented. This allowed for any user to type...
CVE-2025-27794 Flarum Vulnerable to Session Hijacking via Authoritative Subdomain Cookie Overwrite
Flarum is open-source forum software. A session hijacking vulnerability exists in versions prior to 1.8.10 when an attacker-controlled authoritative subdomain under a parent domain e.g., subdomain.host.com sets cookies scoped to the parent domain .host.com. This allows session token replacement f...
CVE-2025-27794 Flarum Vulnerable to Session Hijacking via Authoritative Subdomain Cookie Overwrite
Flarum is open-source forum software. A session hijacking vulnerability exists in versions prior to 1.8.10 when an attacker-controlled authoritative subdomain under a parent domain e.g., subdomain.host.com sets cookies scoped to the parent domain .host.com. This allows session token replacement f...
PT-2025-11049 · Flarum · Flarum
Name of the Vulnerable Software and Affected Versions: Flarum versions prior to 1.8.10 Description: A session hijacking issue exists when an attacker-controlled authoritative subdomain under a parent domain sets cookies scoped to the parent domain. This allows session token replacement for...
PT-2023-7222 · Flarum +1 · Flarum +1
Name of the Vulnerable Software and Affected Versions: Flarum versions prior to 1.8.0 Description: The issue allows an attacker to conduct a Blind Server-Side Request Forgery SSRF attack or disclose any file on the server, even with a basic user account on any Flarum forum. This is due to the...
Flarum 路径遍历漏洞
Flarum is an open source forum system for the Flarum community. A path traversal vulnerability exists in Flarum versions prior to 1.7.0. An attacker can exploit this vulnerability to access files and directories stored outside the web root folder...
CVE-2023-22489 Flarum is missing authorization in discussion replies
Flarum is a discussion platform for websites. If the first post of a discussion is permanently deleted but the discussion stays visible, any actor who can view the discussion is able to create a new reply via the REST API, no matter the reply permission or lock status. This includes users that...
CVE-2023-22488 Missing authorization in Flarum
Flarum is a forum software for building communities. Using the notifications feature, one can read restricted/private content and bypass access checks that would be in place for such content. The notification-sending component does not check that the subject of the notification can be seen by the...
PT-2023-18539 · Flarum · Flarum
Name of the Vulnerable Software and Affected Versions: Flarum versions prior to 1.6.3 Description: The issue allows an actor to read restricted or private content and bypass access checks by using the notifications feature. The notification-sending component does not verify if the subject of the...
PT-2023-18538 · Flarum · Flarum
Name of the Vulnerable Software and Affected Versions: Flarum versions prior to 1.6.3 Description: The issue concerns the mentions feature provided by the flarum/mentions extension, which allows users to mention any post ID on the forum using a special syntax. This feature leaks the discussion ID...
CVE-2022-41938 Cross site scripting vulnerability with discussion titles in flarum
Flarum is an open source discussion platform. Flarum's page title system allowed for page titles to be converted into HTML DOM nodes when pages were rendered. The change was made after v1.5 and was not noticed. This allowed an attacker to inject malicious HTML markup using a discussion title inpu...
CVE-2019-13183
Flarum before 0.1.0-beta.9 allows CSRF against all POST endpoints, as demonstrated by changing admin settings...
CVE-2019-13183
Flarum before 0.1.0-beta.9 allows CSRF against all POST endpoints, as demonstrated by changing admin settings...