Flarum is open-source forum software. A session hijacking vulnerability exists in versions prior to 1.8.10 when an attacker-controlled authoritative subdomain under a parent domain (e.g., subdomain.host.com
) sets cookies scoped to the parent domain (.host.com
). This allows session token replacement for applications hosted on sibling subdomains (e.g., community.host.com
) if session tokens arent rotated post-authentication. Key Constraints are that the attacker must control any subdomain under the parent domain (e.g., evil.host.com
or x.y.host.com
), and the parent domain must not be on the Public Suffix List. Due to non-existent session token rotation after authenticating we can theoretically reproduce the vulnerability by using browser dev tools, but due to the browsers security measures this does not seem to be exploitable as described. Version 1.8.10 contains a patch for the issue.
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.