Liamsnow

**Name of the Vulnerable Software and Affected Versions** Flarum versions prior to 1.8.16 Flarum versions prior to 2.0.0-rc.1 **Description** An authenticated administrator can inject an arbitrary `@import` directive into the compiled `forum.css` file. This occurs because settings registered as LESS config variables, such as `theme primary color`, `theme secondary color`, and any key registered via `ExtendSettings::registerLessConfigVar()`, are interpolated verbatim into the LESS source at compile time without proper restriction of `@import` and `data-uri()` features. This allows an attacker to perform local file inclusion by reading arbitrary files reachable by the PHP process or trigger server-side request forgery (SSRF) by initiating outbound HTTP(S) requests. The extracted content is then embedded into the publicly served `forum.css` file. This issue can be exploited via the '/api/settings' endpoint. **Recommendations** Update to version 1.8.16 for the 1.x branch. Update to version 2.0.0-rc.1 for the 2.x branch. Ensure administrator accounts are protected with strong, unique passwords and two-factor authentication. Restrict administrator access to trusted users only.