CVE-2023-22489: Flarum is a discussion platform for websites. If the first p..
flarum
•
Jan 13, 2023
•
Jan 23, 2023
Description
Flarum is a discussion platform for websites. If the first post of a discussion is permanently deleted but the discussion stays visible, any actor who can view the discussion is able to create a new reply via the REST API, no matter the reply permission or lock status. This includes users that don't have a validated email. Guests cannot successfully create a reply because the API will fail with a 500 error when the user ID 0 is inserted into the database. This happens because when the first post of a discussion is permanently deleted, the `first_post_id` attribute of the discussion becomes `null` which causes access control to be skipped for all new replies. Flarum automatically makes discussions with zero comments invisible so an additional condition for this vulnerability is that the discussion must have at least one approved reply so that `discussions.comment_count` is still above zero after the post deletion. This can open the discussion to uncontrolled spam or just unintentional replies if users still had their tab open before the vulnerable discussion was locked and then post a reply when they shouldn't be able to. In combination with the email notification settings, this could also be used as a way to send unsolicited emails. Versions between `v1.3.0` and `v1.6.3` are impacted. The vulnerability has been fixed and published as flarum/core v1.6.3. All communities running Flarum should upgrade as soon as possible. There are no known workarounds.
Products affected:
flarum» flarum » *
In a few clicks Akto can analyze your API attack surface and see what APIs are vulnerable to OWASP Top 10 and other common CWEs.
Severity
3.5
/
10
CVSS base metrics
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
LOW
User interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
NONE
Integrity
LOW
Availability
NONE
Exploitability Score
2.1
Impact Score
1.4
Weakness
CWE-862__
Learn from academy
What is Metasploit and Nmap?
Drupal Penetration Testing
NIST Penetration Testing
Nessus Penetration Testing
Qualys Penetration Testing
Grey Box Penetration Testing Methodology
Black Box Penetration Testing Methodology
Cloud Penetration Testing Methodology
Active Directory Pentesting Methodology
GraphQL Penetration Testing Methodology
What is API Pentesting?
What is Automated Penetration Testing?
What is API Security?
What is API Security Posture?
What is API Security Testing?
API Security Checklist
What is a Shadow API?
What is a Zombie API?
What are Business Logic Vulnerabilities?
What is API Protection?
What is API Linting?
What is API Sprawl?
Security Misconfiguration in API
What is Internal API?
What is External API?
Internal vs External API
Sensitive Data Exposure
Data at Rest
Data in Transit
Data Breaches
API Security and Compliance
SOC 2: A Guide to SOC 2 Compliance
FedRAMP Guidelines
What is HIPAA Compliance
Authentication
Authorization
Authentication vs Authorization
HTTP Authentication
Access-Control-Allow-Origin (ACAO)
What is API?
Related tests
JWT authentication bypass via jku header injection
eSMTP - Config Discovery
Nginx - Git Configuration Exposure
Laravel - Sensitive Information Disclosure
Docker Container - Misconfiguration Exposure
Msmtp - Config Exposure
Parameters.yml - File Discovery
Mongo Express - Unauthenticated Access
Apache Airflow Configuration Exposure
Dockerrun AWS Configuration Exposure
Apache Config file disclosure
Appspec Yml Disclosure
Explore more from Akto
Blog
Be updated about everything related to API Security, new API vulnerabilities, industry news and product updates.
Test Library
Discover and find tests from Akto's 100+ API Security test library. Choose your template or add a new template to start your API Security testing.
Documentation
Check out Akto's product documentation for all information related to features and how to use them.