CVE-2024-58302 is a vulnerability classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Programs) affecting FriendsofFlarum Pretty Mail version 1.1.2. This vulnerability allows an attacker with administrative privileges to exploit the email template functionality by injecting file inclusion payloads. The flaw stems from insufficient validation of filenames used in PHP include or require statements within the email template rendering process. By manipulating template settings, an attacker can cause the server to include arbitrary local files, such as /etc/passwd, leading to unauthorized disclosure of sensitive system information. The vulnerability does not require user interaction and can be exploited remotely over the network, but it does require administrative privileges on the Flarum forum instance. The CVSS 4.0 score is 6.9, reflecting a medium severity due to the high impact on confidentiality but limited by the requirement for elevated privileges. No public exploits or patches are currently available, increasing the importance of proactive mitigation. This vulnerability could be leveraged for further attacks if combined with other weaknesses, such as privilege escalation or lateral movement within the network.

For European organizations, especially those running community forums or customer support platforms using Flarum with the Pretty Mail extension, this vulnerability poses a risk of sensitive information disclosure. Attackers with administrative access can read critical system files, potentially exposing user data, system configurations, or credentials stored in files. This can lead to further compromise, including privilege escalation or lateral movement within the network. The impact is particularly significant for organizations handling personal data under GDPR, as unauthorized disclosure could result in regulatory penalties and reputational damage. Additionally, the ability to read arbitrary files may facilitate targeted attacks against infrastructure or intellectual property. Since the vulnerability requires administrative privileges, the risk is heightened if administrative accounts are weakly protected or compromised through phishing or credential reuse. The medium severity score reflects a balance between the high confidentiality impact and the access requirements, but the potential for chained attacks elevates the threat level in practice.

1. Restrict administrative access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) for all admin accounts. 2. Immediately audit and limit permissions for template editing within the Pretty Mail extension to prevent unauthorized modifications. 3. Implement input validation and sanitization on all template fields that accept filenames or include directives to prevent injection of malicious payloads. 4. Monitor logs for unusual template changes or email generation activities that could indicate exploitation attempts. 5. Isolate the Flarum application server from critical infrastructure to limit the impact of any file disclosure. 6. Regularly back up configuration and template files to enable quick restoration if tampering occurs. 7. Stay alert for official patches or updates from the Flarum or FriendsofFlarum development teams and apply them promptly once released. 8. Consider deploying web application firewalls (WAFs) with rules to detect and block suspicious file inclusion patterns targeting the Pretty Mail extension. 9. Conduct security awareness training for administrators to recognize phishing and social engineering attempts that could lead to credential compromise.