Server-side Request Forgery (SSRF)

Overview flarum/core is a simple discussion platform for your website. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the interpolation of unvalidated LESS config variables during CSS compilation. An attacker can access arbitrary files on the server or...

CVE-2018-19133

In Flarum Core 0.1.0-beta.7.1, a serious leak can get everyone's email address...

EUVD-2022-4697

Malicious code in bioql PyPI...

Session Hijacking

flarum/core is vulnerable to Session Hijacking. The vulnerability is due to improper scoping of cookies, allowing an attacker-controlled subdomain to set cookies for the parent domain...

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Overview flarum/core is a simple discussion platform for your website. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' via authoritative subdomain cookie overwrite. An attacker controlling a...

CVE-2024-21641

Summary: CVE-2024-21641 affects Flarum versions before 1.8.5, where the /logout redirect parameter can be abused to redirect users to arbitrary links within a trusted domain, enabling open redirects. Impact: Unauthenticated users could be redirected by a trusted Flarum instance; for logged-in use...

Byobu user preference to prevent private discussions being started are not respected

Impact Users electing to prevent others starting private discussions with themselves. Please note that admins and others with appropriate permissions can always bypass this preference, as was the case before. Patches Users of Byobu should update the extension to version 1.1.7, where this has been...

PT-2022-23027 · Flarum +2 · Flarum +2

Name of the Vulnerable Software and Affected Versions: fof/byobu versions prior to 1.1.7 Description: The issue concerns the fof/byobu private discussions extension for Flarum forum, where affected versions do not respect private discussion disablement by users. This means users who have chosen t...

Cross-Site Request Forgery (CSRF)

flarum/core is vulnerable to cross-site request forgery CSRF. The application was not able to determine the authenticity and origin of requests received due to a lack of anti-CSRF tokens. This allows remote attackers to submit unwanted requests on behalf of users when the users are tricked into...

Insecure Direct Object Reference

flarum/core is vulnerable to insecure direct object reference. An attacker is able to exploit the vulnerability to modify user information which can possibly lead to a full account takeover...

Design/Logic Flaw

In Flarum Core 0.1.0-beta.7.1, a serious leak can get everyone's email address...

CVE-2018-19133

In Flarum Core 0.1.0-beta.7.1, a serious leak can get everyone's email address...