flarum is vulnerable to Authentication Bypass. The vulnerability exists because the library does not properly check access for post creation when the first post is deleted, allowing an attacker who can view the discussion to create new malicious replies via the REST API, even with reply permission or lock status.
CPE | Name | Operator | Version |
---|---|---|---|
flarum/core | le | v1.6.2 | |
flarum/framework | le | v1.6.2 | |
flarum/core | le | v1.6.2 | |
flarum/framework | le | v1.6.2 |
github.com/flarum/flarum-core/commit/e42b57713e4fdc83eddefffc07589ea739ea89f3
github.com/flarum/flarum-core/releases/tag/v1.6.3
github.com/flarum/framework/commit/12dfcc5c7960e8dc1e35e9d0a10d071923b39a76
github.com/flarum/framework/commit/12f14112a0ecd1484d97330b82beb2a145919015
github.com/flarum/framework/releases/tag/v1.6.3
github.com/flarum/framework/security/advisories/GHSA-hph3-hv3c-7725