rasheka please reach out to our security contact and include additional details on how to reproduce these vulnerabilities. I am not familiar with Accunetix, but I hope they provide you with more details because there is nothing actionable with the summary as you published it. We need to know the endpoints and components impacted, and ideally a proof of concept for the exploit. Also please clarify which Flarum version this applies to. We really appreciate security analysis for both Flarum 1.8 and 2.0 (beta).
If the tool analyzed your hosting with Flarum on it rather than just Flarum by itself, you should immediately check your server configuration, because this makes it sound like you have an insecure shell and database access, or possibly incorrectly configured the Flarum root directory or Apache rewrite rules. If you accidentally exposed your config.php file content, you should change your database credentials. If you have reasons to think your database has been downloaded, you should reset all your user's passwords.
Most of what you describe is possible if you manage to compromise an admin user account, or an extension. But either of those is not considered a security issue with the Flarum software. Forum owners are responsible for properly securing their server and forum accounts, and choosing which extensions they install with care.
For our part, we will take down any malicious or compromised third-party extension from the official listing and report them to Packagist and GitHub once we are made aware of them.
Security issues with Flarum core and core extensions reported through the proper canals will be discussed in private and promptly addressed.
