Cross site scripting vulnerability with discussion titles in flarum
CVE-2022-41938

9CRITICAL

Key Information:

Vendor

Flarum

Status
Framework
Vendor
CVE Published:
19 November 2022

What is CVE-2022-41938?

Flarum is an open source discussion platform. Flarum's page title system allowed for page titles to be converted into HTML DOM nodes when pages were rendered. The change was made after v1.5 and was not noticed. This allowed an attacker to inject malicious HTML markup using a discussion title input, either by creating a new discussion or renaming one. The XSS attack occurs after a visitor opens the relevant discussion page. All communities running Flarum from v1.5.0 to v1.6.1 are impacted. The vulnerability has been fixed and published as flarum/core v1.6.2. All communities running Flarum from v1.5.0 to v1.6.1 have to upgrade as soon as possible to v1.6.2. There are no known workarounds for this issue.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

framework >= 1.5.0, < 1.6.2

References

https://github.com/flarum/framework/security/advisories/G...
https://github.com/flarum/framework/commit/690de9ce0ffe7a...
https://discuss.flarum.org/d/27558

CVSS V3.1

Score:
9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.