CVE-2024-21641

Published: Jan 5, 2024

Modified: Jun 3, 2025

PUBLISHED

CVSS v3.1

6.5

MEDIUM

Description

Flarum is open source discussion platform software. Prior to version 1.8.5, the Flarum `/logout` route includes a redirect parameter that allows any third party to redirect users from a (trusted) domain of the Flarum installation to redirect to any link. For logged-in users, the logout must be confirmed. Guests are immediately redirected. This could be used by spammers to redirect to a web address using a trusted domain of a running Flarum installation. The vulnerability has been fixed and published as flarum/core v1.8.5. As a workaround, some extensions modifying the logout route can remedy this issue if their implementation is safe.

Vendor	Product	Versions
flarum	framework	affected `< 1.8.5`

Weaknesses (CWE)

CWE-601

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

References

https://github.com/flarum/framework/security/advisories/GHSA-733r-8xcp-w9mr

x_refsource_CONFIRM

https://github.com/flarum/flarum-core/commit/ee8b3b4ad1413a2b0971fdd9e40f812d2a3a9d3a

x_refsource_MISC

https://github.com/flarum/framework/commit/7d70328471cf3091d92d95c382d277aec7996176

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-21641

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References