CVE-2023-40033
published 2023-08-16CVE-2023-40033: Flarum is an open source forum software. Flarum is affected by a vulnerability that allows an attacker to conduct a Blind Server-Side Request Forgery (SSRF)…
PriorityP339high7.1CVSS 3.1
AVNACLPRLUINSUCHILAN
EPSS
0.42%
33.7th percentile
Flarum is an open source forum software. Flarum is affected by a vulnerability that allows an attacker to conduct a Blind Server-Side Request Forgery (SSRF) attack or disclose any file on the server, even with a basic user account on any Flarum forum. By uploading a file containing a URL and spoofing the MIME type, an attacker can manipulate the application to execute unintended actions. The vulnerability is due to the behavior of the `intervention/image` package, which attempts to interpret the supplied file contents as a URL, which then fetches its contents. This allows an attacker to exploit the vulnerability to perform SSRF attacks, disclose local file contents, or conduct a blind oracle attack. This has been patched in Flarum version 1.8.0. Users are advised to upgrade. Users unable to upgrade may disable PHP's `allow_url_fopen` which will prevent the fetching of external files via URLs as a temporary workaround for the SSRF aspect of the vulnerability.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| flarum | core | >= 0 < 1.8.0 | 1.8.0 |
| flarum | flarum | < 1.8.0 | 1.8.0 |
| flarum | framework | < 1.8.0 | 1.8.0 |
| flarum | framework | >= 0 < 1.8.0 | 1.8.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Flarum vulnerable to LFI and Blind SSRF via Avatar upload
ghsa·2023-08-16
CVE-2023-40033 [HIGH] CWE-918 Flarum vulnerable to LFI and Blind SSRF via Avatar upload
Flarum vulnerable to LFI and Blind SSRF via Avatar upload
## Impact
The Flarum forum software is affected by a vulnerability that allows an attacker to conduct a Blind SSRF attack or disclose any file on the server, even with a basic user account on any Flarum forum. By uploading a file containing a URL and spoofing the MIME type, an attacker can manipulate the application to execute unintended actions. The vulnerability is due to the behavior of the `intervention/image` package, which attempts to interpret the supplied file contents as a URL, which then fetches its contents. This allows an attacker to exploit the vulnerability to perform SSRF attacks, disclose local file contents, or conduct a blind oracle attack.
### Patches
This has been patched in Flarum **v1.8**.
## Workarounds
As
OSV
Flarum vulnerable to LFI and Blind SSRF via Avatar upload
osv·2023-08-16
CVE-2023-40033 [HIGH] Flarum vulnerable to LFI and Blind SSRF via Avatar upload
Flarum vulnerable to LFI and Blind SSRF via Avatar upload
## Impact
The Flarum forum software is affected by a vulnerability that allows an attacker to conduct a Blind SSRF attack or disclose any file on the server, even with a basic user account on any Flarum forum. By uploading a file containing a URL and spoofing the MIME type, an attacker can manipulate the application to execute unintended actions. The vulnerability is due to the behavior of the `intervention/image` package, which attempts to interpret the supplied file contents as a URL, which then fetches its contents. This allows an attacker to exploit the vulnerability to perform SSRF attacks, disclose local file contents, or conduct a blind oracle attack.
### Patches
This has been patched in Flarum **v1.8**.
## Workarounds
As
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/flarum/framework/commit/d1059c1cc79fe61f9538f3da55e8f42abbede570https://github.com/flarum/framework/security/advisories/GHSA-67c6-q4j4-hccghttps://github.com/flarum/framework/commit/d1059c1cc79fe61f9538f3da55e8f42abbede570https://github.com/flarum/framework/security/advisories/GHSA-67c6-q4j4-hccg
2023-08-16
Published