CVE-2022-23602

Name of the Vulnerable Software and Affected Versions Nimforum versions prior to 2.2.0

Description The issue allows any forum user to create a new thread or post that includes a reference to a local file on the host operating system. Nimforum will render the file if possible. This can be done silently using the post "preview" endpoint. Even when running as a non-critical user, the forum.json secrets can be stolen.

Recommendations For versions prior to 2.2.0, upgrade to version 2.2.0 as soon as possible, as it includes patches for this issue. As a temporary workaround, consider disabling the post "preview" endpoint until a patch is available. Restrict access to sensitive files on the host operating system to minimize the risk of exploitation.