CVE-2024-21641
Published: 05 January 2024
Summary
CVE-2024-21641 is a medium-severity Open Redirect (CWE-601) vulnerability in Flarum Flarum. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Flarum, an open source discussion platform, is affected by an open redirect vulnerability in the /logout route prior to version 1.8.5. The route accepts an unvalidated redirect parameter that permits redirection from the trusted installation domain to an arbitrary external URL. The issue is tracked as CWE-601 and carries a CVSS 3.1 score of 6.5.
Any unauthenticated attacker can exploit the flaw by supplying a crafted logout URL. Guests are redirected immediately, while logged-in users are redirected after confirming the logout action. The primary impact is abuse of the trusted domain for spam or phishing campaigns that direct visitors to attacker-controlled sites.
The vulnerability was addressed in flarum/core 1.8.5. The official GitHub Security Advisory and associated commits document the fix, and administrators are advised to upgrade. As a temporary workaround, certain third-party extensions that override the logout route may mitigate the issue provided their own redirect handling is implemented securely.
The EPSS score has remained near 0.38 with only minor fluctuation between its current and peak values, indicating no significant post-disclosure surge in observed exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-0279
Vulnerability details
Flarum is open source discussion platform software. Prior to version 1.8.5, the Flarum `/logout` route includes a redirect parameter that allows any third party to redirect users from a (trusted) domain of the Flarum installation to redirect to any link.…
more
For logged-in users, the logout must be confirmed. Guests are immediately redirected. This could be used by spammers to redirect to a web address using a trusted domain of a running Flarum installation. The vulnerability has been fixed and published as flarum/core v1.8.5. As a workaround, some extensions modifying the logout route can remedy this issue if their implementation is safe.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.