Sycho9

**Name of the Vulnerable Software and Affected Versions** flarum versions prior to 1.7.0 **Description** The issue affects the `LESS` parser in flarum, allowing an attacker with a compromised admin account to read sensitive files on the server using path traversal techniques. This can be achieved by providing an absolute path to a sensitive file in the custom `LESS` setting. The scope of vulnerable files depends on the permissions given to the running flarum process. For example, an attacker could use the following code to read the contents of the `/etc/passwd` file on a Linux machine. **Recommendations** To resolve the issue, upgrade to version 1.7.0. For users unable to upgrade, ensure admin accounts are secured with strong passwords and follow best practices for account security. Additionally, limit the exposure of sensitive files on the server by implementing appropriate file permissions and access controls at the operating system level.

**Name of the Vulnerable Software and Affected Versions** Flarum versions prior to 1.6.3 **Description** The issue allows an actor to read restricted or private content and bypass access checks by using the notifications feature. The notification-sending component does not verify if the subject of the notification is visible to the receiver, sending notifications through different channels. Although alerts do not leak data due to visibility checks, emails are still sent out. This enables bypassing restrictions on posts by subscribing to discussions when the Subscriptions extension is enabled. The attack can leak posts awaiting approval, posts in inaccessible tags, and posts restricted by third-party extensions. **Recommendations** To resolve the issue, upgrade to Flarum version 1.6.3 as soon as possible. As a temporary workaround, consider disabling the Flarum Subscriptions extension or disabling email notifications altogether.

**Name of the Vulnerable Software and Affected Versions** Flarum versions v1.3.0 through v1.6.3 **Description** The issue occurs when the first post of a discussion is permanently deleted, but the discussion remains visible. This allows any actor who can view the discussion to create a new reply via the REST API, regardless of reply permission or lock status. The vulnerability is caused by the `first post id` attribute becoming `null`, which skips access control for new replies. Discussions must have at least one approved reply for this vulnerability to be exploitable. This can lead to uncontrolled spam or unintentional replies, and potentially be used to send unsolicited emails. **Recommendations** For versions v1.3.0 through v1.6.3, upgrade to flarum/core v1.6.3 as soon as possible using `composer update --prefer-dist --no-dev -a -W`. As a temporary workaround, consider deleting the discussion itself or manually setting a `first post id` in the database to prevent exploitation. If you don't delete the first posts, you are not affected by this issue.