CVE-2023-22488

Name of the Vulnerable Software and Affected Versions Flarum versions prior to 1.6.3

Description The issue allows an actor to read restricted or private content and bypass access checks by using the notifications feature. The notification-sending component does not verify if the subject of the notification is visible to the receiver, sending notifications through different channels. Although alerts do not leak data due to visibility checks, emails are still sent out. This enables bypassing restrictions on posts by subscribing to discussions when the Subscriptions extension is enabled. The attack can leak posts awaiting approval, posts in inaccessible tags, and posts restricted by third-party extensions.

Recommendations To resolve the issue, upgrade to Flarum version 1.6.3 as soon as possible. As a temporary workaround, consider disabling the Flarum Subscriptions extension or disabling email notifications altogether.