Cyber Resilience

CVE-2024-21641

Medium

Published: 05 January 2024

Published
05 January 2024
Modified
17 January 2025
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score 0.3794 97.3th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-21641 is a medium-severity Open Redirect (CWE-601) vulnerability in Flarum Flarum. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Flarum, an open source discussion platform, is affected by an open redirect vulnerability in the /logout route prior to version 1.8.5. The route accepts an unvalidated redirect parameter that permits redirection from the trusted installation domain to an arbitrary external URL. The issue is tracked as CWE-601 and carries a CVSS 3.1 score of 6.5.

Any unauthenticated attacker can exploit the flaw by supplying a crafted logout URL. Guests are redirected immediately, while logged-in users are redirected after confirming the logout action. The primary impact is abuse of the trusted domain for spam or phishing campaigns that direct visitors to attacker-controlled sites.

The vulnerability was addressed in flarum/core 1.8.5. The official GitHub Security Advisory and associated commits document the fix, and administrators are advised to upgrade. As a temporary workaround, certain third-party extensions that override the logout route may mitigate the issue provided their own redirect handling is implemented securely.

The EPSS score has remained near 0.38 with only minor fluctuation between its current and peak values, indicating no significant post-disclosure surge in observed exploitation interest.

EU & UK References

Vulnerability details

Flarum is open source discussion platform software. Prior to version 1.8.5, the Flarum `/logout` route includes a redirect parameter that allows any third party to redirect users from a (trusted) domain of the Flarum installation to redirect to any link.…

more

For logged-in users, the logout must be confirmed. Guests are immediately redirected. This could be used by spammers to redirect to a web address using a trusted domain of a running Flarum installation. The vulnerability has been fixed and published as flarum/core v1.8.5. As a workaround, some extensions modifying the logout route can remedy this issue if their implementation is safe.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

flarum
flarum
≤ 1.8.5

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-601

Security awareness includes verifying URLs and avoiding untrusted redirects that lead to malicious sites.

addresses: CWE-601

Validates redirect targets and URLs to ensure they conform to allowed destinations.

References