CVE-2024-21641: 
PHP vulnerability analysis and mitigation

Flarum, an open source discussion platform software, was found to contain a vulnerability in versions prior to 1.8.5. The vulnerability exists in the /logout route, which includes a redirect parameter that allows any third party to redirect users from a trusted domain of the Flarum installation to any link. The issue was discovered and disclosed on January 5, 2024, and was assigned CVE-2024-21641 (GitHub Advisory).

The vulnerability is classified as an open redirect vulnerability (CWE-601). When accessing the logout route, the application accepts a 'return' parameter that can be used to redirect users to arbitrary URLs. For logged-in users, the logout action requires confirmation, while guests are immediately redirected. The vulnerability can be exploited using a URL pattern like 'example.com/logout?return=https://google.com'. The issue has been assigned a CVSS v3.1 base score of 4.7 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N by NIST NVD (NVD).

This vulnerability could be exploited by spammers to redirect users to malicious web addresses while leveraging the trust associated with the domain of a running Flarum installation. The impact is particularly concerning as it affects both authenticated users and guests, though authenticated users have the protection of a confirmation step (GitHub Advisory).

The vulnerability has been fixed in Flarum/core version 1.8.5. Users are strongly recommended to upgrade using the command 'composer update --prefer-dist --no-dev -a -W'. As a workaround, some extensions modifying the logout route can remedy this issue if their implementation is safe, though updating to version 1.8.5 is the recommended solution (GitHub Advisory).