Miggo Logo

CVE-2019-11514: Flarum mishandles invalidation of user email tokens

7.5

CVSS Score
3.0

Basic Information

EPSS Score
0.46742%
Published
5/24/2022
Updated
4/25/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
flarum/flarumcomposer< 0.1.0-beta.80.1.0-beta.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from incomplete cleanup of email tokens during confirmation. The commit diff shows the fix changed from deleting a single token ($token->delete()) to deleting all user email tokens ($user->emailTokens()->delete()). The original implementation in ConfirmEmailHandler.php only removed the specific confirmation token, leaving other potentially valid tokens intact. This matches the CWE-459 (Incomplete Cleanup) description and the vulnerability's nature of improper token invalidation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

`Us*r/*omm*n*/*on*irm*m*il**n*l*r.p*p` in *l*rum ***or* *.*.*-**t*.* mis**n*l*s inv*li**tion o* us*r *m*il tok*ns.

Reasoning

T** vuln*r**ility st*ms *rom in*ompl*t* *l**nup o* *m*il tok*ns *urin* *on*irm*tion. T** *ommit *i** s*ows t** *ix ***n*** *rom **l*tin* * sin*l* tok*n (`$tok*n->**l*t*()`) to **l*tin* *ll us*r *m*il tok*ns (`$us*r->*m*ilTok*ns()->**l*t*()`). T** ori