#VU71385 Missing Authorization in Flarum - CVE-2023-22488

Cybersecurity Help s.r.o.

Published: 2023-01-20

Vulnerability identifier: #VU71385

Vulnerability risk: Medium

CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-22488

CWE-ID: CWE-862

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Flarum
Web applications / Other software

Vendor: Flarum

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to missing authorization in the notification-sending component. A remote user can obtain sensitive information from notifications.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Flarum: 1.0.0 - 1.6.2

External links
https://github.com/flarum/framework/commit/d0a2b95dca57d3dae9a0d77b610b1cb1d0b1766a
https://github.com/flarum/framework/security/advisories/GHSA-8gcg-vwmw-rxj4

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Flarum