CVE-2023-22489

Name of the Vulnerable Software and Affected Versions Flarum versions v1.3.0 through v1.6.3

Description The issue occurs when the first post of a discussion is permanently deleted, but the discussion remains visible. This allows any actor who can view the discussion to create a new reply via the REST API, regardless of reply permission or lock status. The vulnerability is caused by the first post id attribute becoming null, which skips access control for new replies. Discussions must have at least one approved reply for this vulnerability to be exploitable. This can lead to uncontrolled spam or unintentional replies, and potentially be used to send unsolicited emails.

Recommendations For versions v1.3.0 through v1.6.3, upgrade to flarum/core v1.6.3 as soon as possible using composer update --prefer-dist --no-dev -a -W. As a temporary workaround, consider deleting the discussion itself or manually setting a first post id in the database to prevent exploitation. If you don't delete the first posts, you are not affected by this issue.