Davideiadeluca

**Name of the Vulnerable Software and Affected Versions** Flarum versions prior to 1.8.5 **Description** The Flarum `/logout` route includes a redirect parameter that allows any third party to redirect users from a trusted domain of the Flarum installation to any link. For logged-in users, the logout must be confirmed, while guests are immediately redirected. This could be used by spammers to redirect to a web address using a trusted domain of a running Flarum installation. Approximately 12,602 results are mainly distributed in the United States, China, and other countries. **Recommendations** For versions prior to 1.8.5, update to version 1.8.5 using `composer update --prefer-dist --no-dev -a -W`, and then confirm the latest version using `composer show flarum/core`. As a temporary workaround, consider using extensions that modify the logout route, but only if their implementation is safe.