Yesterday we released an emergency security fix for the bundled Tags extension. Here are more details.
This vulnerability allowed any registered user to edit the tags of any discussion for which they have READ access using the REST API.
Users were able to remove any existing tag, and add any tag in which they are allowed to create discussions. The chosen tags still had to match the configured Tags minimums and maximums.
By moving the discussion to new tags, users were able to go around permissions applied to restricted tags. Depending on the setup, this can include publicly exposing content that was only visible to certain groups, or gain the ability to interact with content where such interaction was limited.
The full impact varies depending on the configuration of permissions and restricted tags, and which community extensions are being used. All tag-scoped permissions offered by extensions are impacted by this ability to go around them.
Forums that don't use restricted tags and don't use any extension that relies on tags for access control should not see any security impact. An update is still required to stop users from being able to change any discussion's tags.
Forums that don't use the Tags extension are unaffected.
The fix will be available in version v0.1.0-beta.14 with Flarum beta 14. The fix has already been back-ported to Flarum beta 13 as version v0.1.0-beta.13.2 of the Tags extension.
Thank you to @LianSheng for finding it and to @SychO for the quick fix!
How to update
If you are using Flarum beta 13:
In your Flarum folder (containing
composer update flarum/tags --prefer-dist --no-dev -a
You can then confirm the update worked by checking Composer output (should say "updating to v0.1.0-beta.13.2"), or by checking the version number in the admin panel in the extension list.
If you are using beta 12 or older:
You should update to Flarum beta 13 as soon as possible. We unfortunately can't support older Flarum releases with security fixes. Follow the instructions to update. The security fix will automatically be applied when you perform the update to beta 13.
The original fix released as v0.1.0-beta.13.1 contained an error. We have released an updated fix as v0.1.0-beta.13.2. If you already installed the 13.1 fix, repeat the steps above to install 13.2.
In our haste to get the fix out we missed an important quality check. We will review our process so this doesn't happen again. We apologize for the inconvenience.