An attacker with a basic user forum account can specify a malicious avatar URL that discloses the contents of arbitrary local files on the file system.
An attacker can read the contents of any local file. An attacker can also conduct blind SSRF attacks.
The following versions are affected by this vulnerability:
Flarum is a delightfully simple discussion platform for your website. It’s fast, free, and easy to use, with all the features you need to run a successful community. It’s also extremely extensible, allowing for ultimate customizability.
Upgrade to the latest version of flarum/framework, >= 1.8.0.
Flarum has released an advisory here. The vulnerability was assigned CVE-2023-40033.
The blog post detailing the steps taken for the discovery of this vulnerability can be found here.
Adam Kues - Assetnote Security Research Team