CVE-2023-22487: 
PHP vulnerability analysis and mitigation

CVE-2023-22487 affects Flarum, a forum software for building communities, specifically its mentions feature provided by the flarum/mentions extension. The vulnerability was discovered and disclosed in January 2023, affecting all Flarum versions prior to 1.6.3. The vulnerability allows users to mention any post ID on the forum using the special @""#p syntax, potentially exposing private content (GitHub Advisory).

The vulnerability stems from two key issues in the mentions feature: 1) A URL to the mentioned post is inserted into the actor post HTML, leaking its discussion ID and post number, and 2) The mentionsPosts relationship included in the POST /api/posts and PATCH /api/posts/ JSON responses leaks the full JSON:API payload of all mentioned posts without any access control. The vulnerability has been assigned a CVSS v3.1 base score of 7.7 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, indicating network attack vector, low attack complexity, and high impact on confidentiality (GitHub Advisory, NVD).

The vulnerability allows attackers to leak all posts in the forum database, including posts awaiting approval, posts in tags the user has no access to, and private discussions. This includes non-comment posts like tag changes or renaming events. While discussion payloads are not directly leaked, attackers can extract discussion IDs from mention HTML payloads to reconstruct original discussions (GitHub Advisory).

The vulnerability has been patched in flarum/core v1.6.3. Communities running Flarum should upgrade immediately using the command 'composer update --prefer-dist --no-dev -a -W'. As a temporary workaround, administrators can disable the mentions extension entirely. Users can verify their version using the command 'composer show flarum/core' (GitHub Advisory).