Flarum is vulnerable to Information Disclosure. The vulnerability exists because the library’s JSON responses leak the complete payload of all mentioned posts without any access control, including post contents when a post includes a payload such as @""#p
.
CPE | Name | Operator | Version |
---|---|---|---|
flarum/mentions | le | v1.6.1 | |
flarum/framework | le | v1.6.2 | |
flarum/mentions | le | v1.6.1 | |
flarum/framework | le | v1.6.2 |
github.com/flarum/framework/commit/132fdea659754ef57b7e3eb4b28c957cca06c9c5
github.com/flarum/framework/commit/ab1c868b978e8b0d09a5d682c54665dae17d0985
github.com/flarum/framework/pull/3721
github.com/flarum/framework/security/advisories/GHSA-22m9-m3ww-53h3
github.com/flarum/mentions/commit/69ad759248728560d6c1981a495bdb5173da2d0b