CVE-2023-40033
CVSS 3.1 Score 7.1 of 10 (high)
Details
Summary
CVE-2023-40033 is a newly disclosed vulnerability affecting Flarum, an open-source forum software. This issue enables an attacker to execute Blind Server-Side Request Forgeries (SSRF) or disclose files on the server using a basic user account. The vulnerability stems from the `intervention/image` package, which mistakenly interprets uploaded files as URLs, fetching their contents. This misconfiguration allows attackers to manipulate the application and perform unintended actions, including SSRF attacks, local file disclosure, or oracle attacks. Version 1.8.0 of Flarum has been released as a patch, and users are strongly advised to upgrade. As a temporary measure for those unable to upgrade, disabling PHP's `allow_url_fopen` will prevent the application from fetching external files via URLs, mitigating the SSRF aspect of the vulnerability.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.