CVE-2023-27577: 
PHP vulnerability analysis and mitigation

A path traversal vulnerability was discovered in the LESS parser of Flarum Core package versions below 1.6.3. The vulnerability, identified as CVE-2023-27577, was disclosed on March 10, 2023. This security issue affects the custom LESS functionality in Flarum's forum software package (GitHub Advisory).

The vulnerability exists in the LESS parser functionality where an attacker with compromised admin credentials can exploit path traversal techniques to read sensitive server files. The vulnerability has a CVSS v3.1 score of 6.5 (Moderate), with attack vector being Network, low attack complexity, requiring high privileges, and no user interaction. The attack can be executed through the custom LESS setting by providing absolute paths to sensitive files, which the LESS parser then processes (GitHub Advisory).

If successfully exploited, the vulnerability allows an attacker with admin access to read sensitive files on the server. For example, an attacker could access system files like '/etc/passwd' through the LESS parser using @import statements or data-uri functions (GitHub Advisory).

The vulnerability has been patched in Flarum version 1.7.0. Users are advised to upgrade to this version to address the security issue. As temporary workarounds, administrators should ensure strong password policies for admin accounts and implement appropriate file permissions and access controls on the server (GitHub Advisory).