SCA: security update for flarum/core (GHSA-8gcg-vwmw-rxj4)

medium Tenable Self-Hosted Container Security Plugin ID 412658

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Flarum is a forum software for building communities. Using the notifications feature, one can read
restricted/private content and bypass access checks that would be in place for such content. The
notification-sending component does not check that the subject of the notification can be seen by the
receiver, and proceeds to send notifications through their different channels. The alerts do not leak data
despite this as they are listed based on a visibility check, however, emails are still sent out. This
means that, for extensions which restrict access to posts, any actor can bypass the restriction by
subscribing to the discussion if the Subscriptions extension is enabled. The attack allows the leaking of
some posts in the forum database, including posts awaiting approval, posts in tags the user has no access
to if they could subscribe to a discussion before it becomes private, and posts restricted by third-party
extensions. All Flarum versions prior to v1.6.3 are affected. The vulnerability has been fixed and
published as flarum/core v1.6.3. All communities running Flarum should upgrade as soon as possible to
v1.6.3. As a workaround, disable the Flarum Subscriptions extension or disable email notifications
altogether. There are no other supported workarounds for this issue for Flarum versions below 1.6.3.
(CVE-2023-22488)

See Also

https://github.com/advisories/GHSA-8gcg-vwmw-rxj4

Plugin Details

Severity: Medium

ID: 412658

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.1

Percentile: 7.51

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2023-22488

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 1/10/2023

Vulnerability Publication Date: 1/10/2023

Reference Information

CVE: CVE-2023-22488

cwe: CWE-862