CVE-2019-11514: Flarum mishandles invalidation of user email tokens
7.5
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.46742%
CWE
Published
5/24/2022
Updated
4/25/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
flarum/flarum | composer | < 0.1.0-beta.8 | 0.1.0-beta.8 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from incomplete cleanup of email tokens during confirmation. The commit diff shows the fix changed from deleting a single token ($token->delete()
) to deleting all user email tokens ($user->emailTokens()->delete()
). The original implementation in ConfirmEmailHandler.php only removed the specific confirmation token, leaving other potentially valid tokens intact. This matches the CWE-459 (Incomplete Cleanup) description and the vulnerability's nature of improper token invalidation.