SB2023012021 - Multiple vulnerabilities in Flarum
Published: January 20, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Improper access control (CVE-ID: CVE-2023-22487)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote user can bypass implemented security restrictions and read any post on the forum.
2) Missing Authorization (CVE-ID: CVE-2023-22488)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to missing authorization in the notification-sending component. A remote user can obtain sensitive information from notifications.
Remediation
Install update from vendor's website.
References
- https://github.com/flarum/framework/commit/ab1c868b978e8b0d09a5d682c54665dae17d0985
- https://github.com/flarum/framework/security/advisories/GHSA-22m9-m3ww-53h3
- https://github.com/flarum/framework/commit/d0a2b95dca57d3dae9a0d77b610b1cb1d0b1766a
- https://github.com/flarum/framework/security/advisories/GHSA-8gcg-vwmw-rxj4