CVE-2023-22487

{"id": "CVE-2023-22487", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2023-01-11T20:15:08.833", "references": [{"url": "https://github.com/flarum/framework/commit/ab1c868b978e8b0d09a5d682c54665dae17d0985", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/flarum/framework/security/advisories/GHSA-22m9-m3ww-53h3", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/flarum/framework/commit/ab1c868b978e8b0d09a5d682c54665dae17d0985", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/flarum/framework/security/advisories/GHSA-22m9-m3ww-53h3", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-284"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Flarum is a forum software for building communities. Using the mentions feature provided by the flarum/mentions extension, users can mention any post ID on the forum with the special `@\"<username>\"#p<id>` syntax. The following behavior never changes no matter if the actor should be able to read the mentioned post or not: A URL to the mentioned post is inserted into the actor post HTML, leaking its discussion ID and post number. The `mentionsPosts` relationship included in the `POST /api/posts` and `PATCH /api/posts/<id>` JSON responses leaks the full JSON:API payload of all mentioned posts without any access control. This includes the content, date, number and attributes added by other extensions. An attacker only needs the ability to create new posts on the forum to exploit the vulnerability. This works even if new posts require approval. If they have the ability to edit posts, the attack can be performed even more discreetly by using a single post to scan any size of database and hiding the attack post content afterward. The attack allows the leaking of all posts in the forum database, including posts awaiting approval, posts in tags the user has no access to, and private discussions created by other extensions like FriendsOfFlarum Byobu. This also includes non-comment posts like tag changes or renaming events. The discussion payload is not leaked but using the mention HTML payload it's possible to extract the discussion ID of all posts and combine all posts back together into their original discussions even if the discussion title remains unknown. All Flarum versions prior to 1.6.3 are affected. The vulnerability has been fixed and published as flarum/core v1.6.3. As a workaround, user can disable the mentions extension."}, {"lang": "es", "value": "Flarum es un software de foro para construir comunidades. Usando la funci\u00f3n de menciones proporcionada por la extensi\u00f3n flarum/mentions, los usuarios pueden mencionar cualquier ID de publicaci\u00f3n en el foro con la sintaxis especial `@\"\"#p`. El siguiente comportamiento nunca cambia, sin importar si el actor deber\u00eda poder leer la publicaci\u00f3n mencionada o no: se inserta una URL a la publicaci\u00f3n mencionada en el HTML de la publicaci\u00f3n del actor, filtrando su ID de discusi\u00f3n y n\u00famero de publicaci\u00f3n. La relaci\u00f3n `mentionsPosts` incluida en las respuestas JSON `POST /api/posts` y `PATCH /api/posts/` filtra el payload JSON:API completa de todas las publicaciones mencionadas sin ning\u00fan control de acceso. Esto incluye el contenido, la fecha, el n\u00famero y los atributos agregados por otras extensiones. Un atacante s\u00f3lo necesita la capacidad de crear nuevas publicaciones en el foro para explotar la vulnerabilidad. Esto funciona incluso si las nuevas publicaciones requieren aprobaci\u00f3n. Si tienen la capacidad de editar publicaciones, el ataque se puede realizar de manera a\u00fan m\u00e1s discreta usando una sola publicaci\u00f3n para escanear cualquier tama\u00f1o de base de datos y ocultando el contenido de la publicaci\u00f3n del ataque luego. El ataque permite la filtraci\u00f3n de todas las publicaciones en la base de datos del foro, incluidas las publicaciones en espera de aprobaci\u00f3n, las publicaciones en etiquetas a las que el usuario no tiene acceso y las discusiones privadas creadas por otras extensiones como FriendsOfFlarum Byobu. Esto tambi\u00e9n incluye publicaciones que no son comentarios, como cambios de etiquetas o cambios de nombre de eventos. El payload de la discusi\u00f3n no se filtra, pero utilizando el payload HTML de menci\u00f3n es posible extraer el ID de la discusi\u00f3n de todas las publicaciones y combinar todas las publicaciones nuevamente en sus discusiones originales, incluso si el t\u00edtulo de la discusi\u00f3n sigue siendo desconocido. Todas las versiones de Flarum anteriores a la 1.6.3 se ven afectadas. La vulnerabilidad ha sido reparada y publicada como flarum/core v1.6.3. Como workaround, el usuario puede desactivar la extensi\u00f3n de menciones."}], "lastModified": "2024-11-21T07:44:54.387", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:flarum:flarum:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1CCA0BF4-79A3-4528-821A-DF5DB8692C99", "versionEndExcluding": "1.6.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}