200 matches found
Authentication Bypass
flarum is vulnerable to Authentication Bypass. The vulnerability exists because the library does not properly check access for post creation when the first post is deleted, allowing an attacker who can view the discussion to create new malicious replies via the REST API, even with reply permissio...
Information Disclosure
Flarum is vulnerable to Information Disclosure. The vulnerability exists because the library's JSON responses leak the complete payload of all mentioned posts without any access control, including post contents when a post includes a payload such as @""p...
CVE-2023-22489
Flarum is a discussion platform for websites. If the first post of a discussion is permanently deleted but the discussion stays visible, any actor who can view the discussion is able to create a new reply via the REST API, no matter the reply permission or lock status. This includes users that...
Improper access control
Flarum is a discussion platform for websites. If the first post of a discussion is permanently deleted but the discussion stays visible, any actor who can view the discussion is able to create a new reply via the REST API, no matter the reply permission or lock status. This includes users that...
CVE-2023-22489 Flarum is missing authorization in discussion replies
Flarum is a discussion platform for websites. If the first post of a discussion is permanently deleted but the discussion stays visible, any actor who can view the discussion is able to create a new reply via the REST API, no matter the reply permission or lock status. This includes users that...
CVE-2023-22489 Flarum is missing authorization in discussion replies
Flarum is a discussion platform for websites. If the first post of a discussion is permanently deleted but the discussion stays visible, any actor who can view the discussion is able to create a new reply via the REST API, no matter the reply permission or lock status. This includes users that...
CVE-2023-22489 Flarum is missing authorization in discussion replies
Flarum is a discussion platform for websites. If the first post of a discussion is permanently deleted but the discussion stays visible, any actor who can view the discussion is able to create a new reply via the REST API, no matter the reply permission or lock status. This includes users that...
CVE-2023-22489
CVE-2023-22489 affects Flarum, a discussion platform. When the first post of a discussion is permanently deleted but the discussion remains visible, any user who can view the discussion can create a new reply via the REST API, regardless of reply permissions or lock status. This affects users inc...
Flarum 安全漏洞
Flarum is an open source forum system for the Flarum community. A security vulnerability exists in versions prior to Flarum v1.6.3 that stems from discussions that would open uncontrolled spam or unintentional replies...
CVE-2023-22488
Flarum is a forum software for building communities. Using the notifications feature, one can read restricted/private content and bypass access checks that would be in place for such content. The notification-sending component does not check that the subject of the notification can be seen by the...
Design/Logic Flaw
Flarum is a forum software for building communities. Using the notifications feature, one can read restricted/private content and bypass access checks that would be in place for such content. The notification-sending component does not check that the subject of the notification can be seen by the...
CVE-2023-22488 Missing authorization in Flarum
Flarum is a forum software for building communities. Using the notifications feature, one can read restricted/private content and bypass access checks that would be in place for such content. The notification-sending component does not check that the subject of the notification can be seen by the...
CVE-2023-22488
CVE-2023-22488 affects Flarum core notification logic. The vulnerability stems from the notification-sending flow not validating that the notification subject is visible to the recipient, enabling reading of restricted/private content via subscriptions. Impact includes leakage of posts (including...
CVE-2023-22488 Missing authorization in Flarum
Flarum is a forum software for building communities. Using the notifications feature, one can read restricted/private content and bypass access checks that would be in place for such content. The notification-sending component does not check that the subject of the notification can be seen by the...
CVE-2023-22488 Missing authorization in Flarum
Flarum is a forum software for building communities. Using the notifications feature, one can read restricted/private content and bypass access checks that would be in place for such content. The notification-sending component does not check that the subject of the notification can be seen by the...
Flarum 安全漏洞
Flarum is an open source forum system for the Flarum community. A security vulnerability exists in versions prior to Flarum v1.6.3. An attacker exploiting this vulnerability could read restricted/private content and bypass access checks for such content...
CVE-2023-22487
Flarum is a forum software for building communities. Using the mentions feature provided by the flarum/mentions extension, users can mention any post ID on the forum with the special @""p syntax. The following behavior never changes no matter if the actor should be able to read the mentioned post...
Design/Logic Flaw
Flarum is a forum software for building communities. Using the mentions feature provided by the flarum/mentions extension, users can mention any post ID on the forum with the special @""p syntax. The following behavior never changes no matter if the actor should be able to read the mentioned post...
CVE-2023-22487
Concrete details show that Flarum, via the flarum/mentions extension, leaks the full JSON:API payload of all mentioned posts in certain API responses (POST /api/posts, PATCH /api/posts/) regardless of access rights. Affected are all Flarum versions prior to 1.6.3; mitigation is to upgrade to flar...
CVE-2023-22487 Post mentions can be used to read any post on the forum without access control
Flarum is a forum software for building communities. Using the mentions feature provided by the flarum/mentions extension, users can mention any post ID on the forum with the special @""p syntax. The following behavior never changes no matter if the actor should be able to read the mentioned post...