CVE-2024-58302 is a vulnerability classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program), affecting FriendsofFlarum Pretty Mail version 1.1.2. This PHP extension integrates with the Flarum forum platform to customize email templates. The flaw arises because the software does not properly validate or sanitize the filename input used in PHP include or require statements within email templates. As a result, an attacker with administrative privileges can craft malicious template settings that include arbitrary local files from the server during email generation. This local file inclusion (LFI) can be exploited to read sensitive files such as /etc/passwd, potentially disclosing user account information and other critical system data. The vulnerability does not require user interaction and can be exploited remotely over the network, but it does require administrative privileges on the Flarum instance. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:H indicates high privileges required), no user interaction (UI:N), and high impact on confidentiality (VC:H) but no impact on integrity or availability. No known public exploits or patches are currently available, but the vulnerability is publicly disclosed and should be addressed promptly.

The primary impact of CVE-2024-58302 is unauthorized disclosure of sensitive server files, which can lead to information leakage about system configuration, user accounts, and potentially other confidential data stored on the server. This can facilitate further attacks such as privilege escalation, lateral movement, or targeted exploitation of disclosed information. Since the vulnerability requires administrative privileges, the risk is somewhat mitigated by the need for an attacker to first compromise or gain admin access to the Flarum forum. However, in environments where multiple administrators exist or where admin credentials are weak or reused, this vulnerability significantly increases the attack surface. Organizations running Flarum forums with the Pretty Mail extension are at risk of data breaches and loss of confidentiality. The impact is especially critical for organizations that rely on Flarum for community engagement, customer support, or internal communication, as exposure of internal files could damage reputation and trust.

To mitigate CVE-2024-58302, organizations should immediately upgrade to a patched version of FriendsofFlarum Pretty Mail once available. In the absence of a patch, administrators should disable or remove the Pretty Mail extension to prevent exploitation. Restrict administrative access to trusted personnel only and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. Review and harden file permissions on the server to limit access to sensitive files like /etc/passwd. Implement monitoring and alerting for unusual email template changes or suspicious administrative activity. Additionally, conduct regular security audits of the Flarum installation and extensions to detect unauthorized modifications. Consider isolating the Flarum server within a segmented network zone to limit exposure. Finally, educate administrators about the risks of arbitrary file inclusion vulnerabilities and the importance of secure template management.