id: CVE-2024-21641 info: name: Flarum < 1.8.5 - Open Redirect author: kking severity: medium description: | Flarum is open source discussion platform software. Prior to version 1.8.5, the Flarum `/logout` route includes a redirect parameter that allows any third party to redirect users from a (trusted) domain of the Flarum installation to redirect to any link. For logged-in users, the logout must be confirmed. Guests are immediately redirected. This could be used by spammers to redirect to a web address using a trusted domain of a running Flarum installation. impact: | Unauthenticated attackers can redirect users to malicious phishing sites using the trusted domain of the Flarum installation. remediation: | Update Flarum to version 1.8.5 or later. reference: - https://github.com/flarum/framework/security/advisories/GHSA-733r-8xcp-w9mr - https://github.com/flarum/flarum-core/commit/ee8b3b4ad1413a2b0971fdd9e40f812d2a3a9d3a - https://nvd.nist.gov/vuln/detail/CVE-2024-21641 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N cvss-score: 4.7 cve-id: CVE-2024-21641 cwe-id: CWE-601 epss-score: 0.39082 epss-percentile: 0.97352 cpe: cpe:2.3:a:flarum:flarum:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: flarum product: flarum fofa-query: header="flarum_session=" zoomeye-query: app="Flarum" tags: cve,cve2024,flarum,redirect,vuln http: - method: GET path: - "{{BaseURL}}/logout?return=http://oast.pro" matchers-condition: and matchers: - type: regex part: header regex: - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)oast\.pro\/?(\/|[^.].*)?$' - "Set-Cookie: flarum_session=" condition: and - type: status status: - 302 # digest: 4a0a00473045022100b6d7cab7901b900f89593aa4338bc60ded920771e35191d28381609cc483557302202ac9d495b06f16e49a7796abf1cdc930127f0e2d2e1454d577779848ea075b05:922c64590222798bb761d5b6d8e72950