CVE-2022-35921

Name of the Vulnerable Software and Affected Versions fof/byobu versions prior to 1.1.7

Description The issue concerns the fof/byobu private discussions extension for Flarum forum, where affected versions do not respect private discussion disablement by users. This means users who have chosen to prevent others from starting private discussions with them may still be affected. However, admins and others with appropriate permissions can always bypass this preference. There are no workarounds for this issue.

Recommendations To resolve the issue, update the fof/byobu extension to version 1.1.7, which is only supported on Flarum Core version 1.2.0 and later. For users of Byobu with Flarum 1.0 or 1.1, upgrade to Flarum 1.2 or later, or evaluate the impact this issue has on your forum's users and choose to disable the extension if needed.