Skip to main content

Flarum CVE-2023-22489

LOW
Missing Authorization (CWE-862)
2023-01-13 security-advisories@github.com
3.5
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.5 LOW
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Jan 13, 2023 - 19:15 nvd
LOW 3.5

DescriptionNVD

Flarum is a discussion platform for websites. If the first post of a discussion is permanently deleted but the discussion stays visible, any actor who can view the discussion is able to create a new reply via the REST API, no matter the reply permission or lock status. This includes users that don't have a validated email. Guests cannot successfully create a reply because the API will fail with a 500 error when the user ID 0 is inserted into the database. This happens because when the first post of a discussion is permanently deleted, the first_post_id attribute of the discussion becomes null which causes access control to be skipped for all new replies. Flarum automatically makes discussions with zero comments invisible so an additional condition for this vulnerability is that the discussion must have at least one approved reply so that discussions.comment_count is still above zero after the post deletion. This can open the discussion to uncontrolled spam or just unintentional replies if users still had their tab open before the vulnerable discussion was locked and then post a reply when they shouldn't be able to. In combination with the email notification settings, this could also be used as a way to send unsolicited emails. Versions between v1.3.0 and v1.6.3 are impacted. The vulnerability has been fixed and published as flarum/core v1.6.3. All communities running Flarum should upgrade as soon as possible. There are no known workarounds.

AnalysisAI

Flarum is a discussion platform for websites. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Technical ContextAI

This vulnerability is classified as Missing Authorization (CWE-862), which allows attackers to access resources or perform actions without proper authorization checks. Flarum is a discussion platform for websites. If the first post of a discussion is permanently deleted but the discussion stays visible, any actor who can view the discussion is able to create a new reply via the REST API, no matter the reply permission or lock status. This includes users that don't have a validated email. Guests cannot successfully create a reply because the API will fail with a 500 error when the user ID 0 is inserted into the database. This happens because when the first post of a discussion is permanently deleted, the first_post_id attribute of the discussion becomes null which causes access control to be skipped for all new replies. Flarum automatically makes discussions with zero comments invisible so an additional condition for this vulnerability is that the discussion must have at least one approved reply so that discussions.comment_count is still above zero after the post deletion. This can open the discussion to uncontrolled spam or just unintentional replies if users still had their tab open before the vulnerable discussion was locked and then post a reply when they shouldn't be able to. In combination with the email notification settings, this could also be used as a way to send unsolicited emails. Versions between v1.3.0 and v1.6.3 are impacted. The vulnerability has been fixed and published as flarum/core v1.6.3. All communities running Flarum should upgrade as soon as possible. There are no known workarounds. Affected products include: Flarum.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Implement role-based access control, validate authorization on every request server-side, apply principle of least privilege.

More in Flarum

View all
CVE-2024-21641 MEDIUM POC
6.5 Jan 05

Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp

CVE-2021-32671 CRITICAL
10.0 Jun 07

Flarum is a forum software for building communities. Rated critical severity (CVSS 10.0), this vulnerability is remotely

CVE-2019-13183 HIGH
8.8 Jul 07

Flarum before 0.1.0-beta.9 allows CSRF against all POST endpoints, as demonstrated by changing admin settings. Rated hig

CVE-2023-22487 MEDIUM POC
4.3 Jan 11

Flarum is a forum software for building communities. Rated medium severity (CVSS 4.3), this vulnerability is remotely ex

CVE-2019-11514 HIGH
7.5 Apr 25

User/Command/ConfirmEmailHandler.php in Flarum before 0.1.0-beta.8 mishandles invalidation of user email tokens. Rated h

CVE-2023-40033 HIGH
7.1 Aug 16

Flarum is an open source forum software. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low

CVE-2025-27794 MEDIUM
6.8 Mar 12

Flarum is open-source forum software. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no a

CVE-2023-22488 MEDIUM
5.4 Jan 12

Flarum is a forum software for building communities. Rated medium severity (CVSS 5.4), this vulnerability is remotely ex

CVE-2022-41938 MEDIUM
5.4 Nov 19

Flarum is an open source discussion platform. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitab

CVE-2018-19133 MEDIUM
5.3 Nov 09

In Flarum Core 0.1.0-beta.7.1, a serious leak can get everyone's email address. Rated medium severity (CVSS 5.3), this v

CVE-2023-27577 MEDIUM
4.9 Mar 10

flarum is a forum software package for building communities. Rated medium severity (CVSS 4.9), this vulnerability is rem

Share

CVE-2023-22489 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy