High severityOSV Advisory· Published Apr 25, 2019· Updated Aug 4, 2024
CVE-2019-11514
CVE-2019-11514
Description
User/Command/ConfirmEmailHandler.php in Flarum before 0.1.0-beta.8 mishandles invalidation of user email tokens.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
flarum/flarumPackagist | < 0.1.0-beta.8 | 0.1.0-beta.8 |
Affected products
1Patches
166607a567493Always invalidate all user email tokens
2 files changed · +12 −1
src/User/Command/ConfirmEmailHandler.php+2 −1 modified@@ -53,7 +53,8 @@ public function handle(ConfirmEmail $command) $user->save(); $this->dispatchEventsFor($user); - $token->delete(); + // Delete *all* tokens for the user, in case other ones were sent first + $user->emailTokens()->delete(); return $user; }
src/User/User.php+10 −0 modified@@ -614,6 +614,16 @@ public function notifications() return $this->hasMany('Flarum\Notification\Notification'); } + /** + * Define the relationship with the user's email tokens. + * + * @return \Illuminate\Database\Eloquent\Relations\HasMany + */ + public function emailTokens() + { + return $this->hasMany(EmailToken::class); + } + /** * Define the relationship with the permissions of all of the groups that * the user is in.
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-g6w5-439m-jhwvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-11514ghsaADVISORY
- discuss.flarum.org/d/17745-flarum-0-1-0-beta-8-releasedghsax_refsource_MISCWEB
- github.com/flarum/core/commit/66607a56749339d50620b049701ad4d6a4dafbd7ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.