flarum/core and flarum/framework is vulnerable to Path Traversal. The vulnerability exists because the whenSettingsSaving
function in ValidateCustomLess.php
does not properly restrict the custom LESS
setting, which allows an attacker to access files outside the expected directory and read sensitive server files.
CPE | Name | Operator | Version |
---|---|---|---|
flarum/core | le | v1.6.3 | |
flarum/framework | le | v1.6.3 | |
flarum/core | le | v1.6.3 | |
flarum/framework | le | v1.6.3 |