CVE-2022-41938 - Critical XSS Vulnerability in Flarum Discussion Titles (v1.5. – v1.6.1)

_Flarum_ is a popular open source platform for modern online forums. It's simple, fast, and used by thousands of communities worldwide. But between versions v1.5. and v1.6.1, Flarum users faced a dangerous vulnerability – one that left entire communities open to cross-site scripting (*XSS*) attacks.

What Happened?

A change to the way page titles are handled in Flarum was introduced after version 1.5. This change quietly allowed user-provided discussion titles to be converted directly into HTML DOM nodes when pages were rendered. What does this mean? If an attacker puts HTML or JavaScript code in a discussion’s title, it could run in the browser of any user who visits that page.

All communities running affected Flarum versions are at risk. There is no workaround besides upgrading.

Vulnerable Code Path

Titles in Flarum discussions come from user input. Normally, user input should always be _escaped_ before being put into the DOM (turned into a web page), to avoid running code or breaking the page layout.

Before the vulnerability, Flarum’s code for rendering titles looked something like this (simplified for illustration):

// Rendering a discussion title in the page header
$discussionTitle = $discussion->title;
echo "<title>{$discussionTitle}</title>";

The $discussionTitle variable could include HTML or JavaScript. If it wasn't properly escaped, a malicious user could submit a title such as:

<script>alert('XSS!');</script>

When another member or even an admin visits this discussion, the script inside the title would run in their browser.

How Exploitation Works

An attacker creates a new discussion or renames an existing one, setting the title to malicious code like:

<img src="x" onerror="alert('Hacked!')">

After this, any user who views the page will see the popping alert. The attack could, of course, be more dangerous – stealing cookies, injecting drive-by malware, or hijacking admin sessions.

Suppose you have a Flarum forum running, and you create a new discussion with this title

<script>alert('XSS via title!')</script>

Anyone viewing that discussion will have the alert pop up, showing the vulnerability is present.

Flarum Core from v1.5. up to (but not including) v1.6.2.

If you’re running a version in this range, your forum is at risk.

No Workarounds!

There are no known workarounds. Disabling user registrations or limiting posting does _not_ fix the core issue. Only upgrading to the secure version closes the hole.

How to Fix (Upgrade Now!)

Upgrade immediately to flarum/core v1.6.2 or later. The Flarum team patched the vulnerability by properly escaping discussion titles before rendering.

> To update:

> Follow the official upgrade guide or run

>
>

> composer update flarum/core
> 

>
> Ensure your update takes you at least to v1.6.2 or above.

References and Additional Information

- CVE-2022-41938 at GitHub Advisory Database
- flarum/core Security Release v1.6.2
- Official Flarum Security Disclosure

Conclusion

This XSS vulnerability demonstrates the risks of handling user input in web applications. All Flarum communities running versions v1.5. to v1.6.1 must upgrade immediately. Failing to do so could allow attackers to compromise user accounts, steal sensitive information, or hijack your site.

Timeline

Published on: 11/19/2022 01:15:00 UTC
Last modified on: 11/26/2022 03:19:00 UTC