SCA: security update for flarum/core, flarum/framework (GHSA-hg9j-64wp-m9px)

medium Tenable Self-Hosted Container Security Plugin ID 421107

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Flarum is open-source forum software. A session hijacking vulnerability exists in versions prior to 1.8.10
when an attacker-controlled authoritative subdomain under a parent domain (e.g., `subdomain.host.com`)
sets cookies scoped to the parent domain (`.host.com`). This allows session token replacement for
applications hosted on sibling subdomains (e.g., `community.host.com`) if session tokens aren't rotated
post-authentication. Key Constraints are that the attacker must control any subdomain under the parent
domain (e.g., `evil.host.com` or `x.y.host.com`), and the parent domain must not be on the Public Suffix
List. Due to non-existent session token rotation after authenticating we can theoretically reproduce the
vulnerability by using browser dev tools, but due to the browser's security measures this does not seem to
be exploitable as described. Version 1.8.10 contains a patch for the issue. (CVE-2025-27794)

See Also

https://github.com/advisories/GHSA-hg9j-64wp-m9px

Plugin Details

Severity: Medium

ID: 421107

Version: Revision 1.13

Type: Local

Family: SCA Checks

Published: 3/13/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.37

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: High

Base Score: 7.1

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:N

CVSS Score Source: CVE-2025-27794

CVSS v3

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/12/2025

Vulnerability Publication Date: 3/12/2025

Reference Information

CVE: CVE-2025-27794

cwe: CWE-74