GHSA-32WX-4GXX-H48F
Vulnerability from github – Published: 2021-01-29 18:13 – Updated: 2021-01-26 03:45This advisory concerns a vulnerability which was patched and publicly released on October 5, 2020.
Impact
This vulnerability allowed any registered user to edit the tags of any discussion for which they have READ access using the REST API.
Users were able to remove any existing tag, and add any tag in which they are allowed to create discussions. The chosen tags still had to match the configured Tags minimums and maximums.
By moving the discussion to new tags, users were able to go around permissions applied to restricted tags. Depending on the setup, this can include publicly exposing content that was only visible to certain groups, or gain the ability to interact with content where such interaction was limited.
The full impact varies depending on the configuration of permissions and restricted tags, and which community extensions are being used. All tag-scoped permissions offered by extensions are impacted by this ability to go around them.
Forums that don't use restricted tags and don't use any extension that relies on tags for access control should not see any security impact. An update is still required to stop users from being able to change any discussion's tags.
Forums that don't use the Tags extension are unaffected.
Patches
The fix will be available in version v0.1.0-beta.14 with Flarum beta 14. The fix has already been back-ported to Flarum beta 13 as version v0.1.0-beta.13.2 of the Tags extension.
Workarounds
Version v0.1.0-beta.13.2 of the Tags extension allows existing Flarum beta 13 forums to fix the issue without the need to update to beta 14.
Forums that have not yet updated to Flarum beta 13 are encouraged to update as soon as possible.
References
For more information
If you have any questions or comments about this advisory, please start a new discussion on our support forum.
If you discover a security vulnerability within Flarum, please send an e-mail to security@flarum.org. All security vulnerabilities will be promptly addressed. More details can be found in our security policy.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.1.0-beta.13"
},
"package": {
"ecosystem": "Packagist",
"name": "flarum/tags"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.0-beta.13.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2021-01-26T03:45:41Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "This advisory concerns a vulnerability which was patched and publicly released on October 5, 2020.\n\n### Impact\nThis vulnerability allowed any registered user to edit the tags of any discussion for which they have READ access using the REST API.\n\nUsers were able to remove any existing tag, and add any tag in which they are allowed to create discussions. The chosen tags still had to match the configured Tags minimums and maximums.\n\nBy moving the discussion to new tags, users were able to go around permissions applied to restricted tags. Depending on the setup, this can include publicly exposing content that was only visible to certain groups, or gain the ability to interact with content where such interaction was limited.\n\nThe full impact varies depending on the configuration of permissions and restricted tags, and which community extensions are being used. All tag-scoped permissions offered by extensions are impacted by this ability to go around them.\n\nForums that don\u0027t use restricted tags and don\u0027t use any extension that relies on tags for access control should not see any security impact. An update is still required to stop users from being able to change any discussion\u0027s tags.\n\nForums that don\u0027t use the Tags extension are unaffected.\n\n### Patches\nThe fix will be available in version v0.1.0-beta.14 with Flarum beta 14. The fix has already been back-ported to Flarum beta 13 as version v0.1.0-beta.13.2 of the Tags extension.\n\n### Workarounds\nVersion v0.1.0-beta.13.2 of the Tags extension allows existing Flarum beta 13 forums to fix the issue without the need to update to beta 14.\n\nForums that have not yet updated to Flarum beta 13 are encouraged to update as soon as possible.\n\n### References\n\n- [Release announcement](https://discuss.flarum.org/d/25059-security-update-to-flarum-tags-010-beta132)\n- [GitHub issue](https://github.com/flarum/core/issues/2355)\n\n### For more information\nIf you have any questions or comments about this advisory, please start a new discussion on our [support forum](https://discuss.flarum.org/t/support).\n\nIf you discover a security vulnerability within Flarum, please send an e-mail to [security@flarum.org](mailto:security@flarum.org). All security vulnerabilities will be promptly addressed. More details can be found in our [security policy](https://github.com/flarum/core/security/policy).",
"id": "GHSA-32wx-4gxx-h48f",
"modified": "2021-01-26T03:45:41Z",
"published": "2021-01-29T18:13:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/flarum/tags/security/advisories/GHSA-32wx-4gxx-h48f"
},
{
"type": "WEB",
"url": "https://github.com/flarum/core/issues/2355"
},
{
"type": "WEB",
"url": "https://github.com/flarum/tags/commit/c8fcd000857493f1e4cc00b6f2771ce388b93e9d"
},
{
"type": "WEB",
"url": "https://discuss.flarum.org/d/25059-security-update-to-flarum-tags-010-beta132"
},
{
"type": "WEB",
"url": "https://packagist.org/packages/flarum/tags"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Users can edit the tags of any discussion"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.