A note regarding Flarum's Tags extension vulnerability
This message is meant for those that might be subscribed to this thread. If you visited the forum/Discord yesterday you should already be aware of the vulnerability that was discovered and patched in Flarum's Tags extension.
If you haven't already updated your forum, I urge you to apply the update as described in the official announcement https://discuss.flarum.org/d/25059 . This extension doesn't need an update to benefit from the fix, only the Tags extension must be updated.
There is a very specific case where the vulnerability found in Tags can expose private data if you also use See Past First Post. It might apply to very few of you.
If you only use a global setting for See Past First Post and have not applied any per-tag restriction, there is no additional impact outside of what's described in the Flarum announcement.
If you use per-tag permission to restrict content to logged in users under some tags, an attacker could exploit the vulnerability to move discussions to a tag that's visible to guests. This has limited impact since anyone could already register to gain access to the content, and you need an account to perform the attack.
If you use per-tag permission to restrict replies to private groups under only some of the tags, this is where the vulnerability is dangerous. An attacker with no groups could move such a discussion to a tag where they then gain the ability to read (and possibly post) replies.
If the attacker performs the attack then reverts back to the original tags without anybody posting in the discussion during this time, the attack will leave effectively no trace since Flarum deletes the "change post" event posts when tags are changed back to what they were previously.
I strongly recommend installing my Audit Log extension which will keep traces of such actions if they were to happen.
There is currently no indication that the vulnerability has been exploited in the wild.