CVE-2024-21641

Name of the Vulnerable Software and Affected Versions Flarum versions prior to 1.8.5

Description The Flarum /logout route includes a redirect parameter that allows any third party to redirect users from a trusted domain of the Flarum installation to any link. For logged-in users, the logout must be confirmed, while guests are immediately redirected. This could be used by spammers to redirect to a web address using a trusted domain of a running Flarum installation. Approximately 12,602 results are mainly distributed in the United States, China, and other countries.

Recommendations For versions prior to 1.8.5, update to version 1.8.5 using composer update --prefer-dist --no-dev -a -W, and then confirm the latest version using composer show flarum/core. As a temporary workaround, consider using extensions that modify the logout route, but only if their implementation is safe.