CVE-2024-58302 identifies a local file inclusion vulnerability in the FriendsofFlarum Pretty Mail plugin version 1.1.2, which is an extension for the PHP-based Flarum forum software. The vulnerability stems from improper control over filenames used in include or require statements within the email template rendering process. Specifically, administrative users can manipulate template settings to inject file inclusion payloads, causing the server to include arbitrary files during email generation. This can lead to disclosure of sensitive system files such as /etc/passwd, which contains user account information on Unix-like systems. The vulnerability is classified under CWE-98, indicating improper control of filename input in include/require statements. Exploitation requires administrative privileges on the forum, meaning attackers must already have elevated access or compromise an admin account. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no authentication required beyond admin privileges (PR:H), no user interaction (UI:N), and high confidentiality impact (VC:H). Integrity and availability impacts are not affected. No public exploits have been reported yet, but the vulnerability poses a significant risk if exploited. The lack of patch links suggests that a fix may not yet be publicly available, emphasizing the need for cautious access control and input validation. The vulnerability affects only version 1.1.2 of the Pretty Mail plugin, so organizations running other versions or not using this plugin are not impacted.

For European organizations, this vulnerability poses a risk primarily to the confidentiality of sensitive system information. If an attacker gains administrative access to a Flarum forum using the Pretty Mail 1.1.2 plugin, they can exploit this flaw to read arbitrary files on the server, potentially exposing user credentials, configuration files, or other sensitive data. This could lead to further compromise of the server or lateral movement within the network. The impact is heightened in environments where forums are used for internal communications or host sensitive discussions. Additionally, disclosure of system files could aid attackers in crafting more targeted attacks. Since exploitation requires administrative privileges, the threat is somewhat mitigated by strong access controls; however, insider threats or credential theft remain concerns. The vulnerability does not directly affect availability or integrity, but the confidentiality breach could have regulatory implications under GDPR if personal data is exposed. Organizations relying on Flarum forums for customer engagement or community management should assess their exposure and prioritize remediation to avoid reputational damage and compliance risks.

1. Immediately restrict administrative access to the Flarum forum to trusted personnel only and enforce strong authentication mechanisms such as multi-factor authentication (MFA). 2. Monitor administrative account activity for suspicious behavior to detect potential misuse. 3. Validate and sanitize all inputs related to email template configuration to prevent injection of file inclusion payloads. 4. If possible, disable or remove the FriendsofFlarum Pretty Mail plugin version 1.1.2 until a patched version is released. 5. Regularly check for updates or security advisories from the Flarum and FriendsofFlarum communities and apply patches promptly once available. 6. Implement web application firewalls (WAF) with rules to detect and block attempts to exploit file inclusion vulnerabilities. 7. Conduct security audits and penetration testing focused on administrative interfaces and plugin configurations. 8. Isolate the forum server from critical infrastructure to limit lateral movement in case of compromise. 9. Backup forum data and server configurations regularly to enable recovery if needed. 10. Educate administrators about the risks of template manipulation and secure configuration practices.