Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-41938
Summary
Flarum is an open source discussion platform. Flarum's page title system allowed for page titles to be converted into HTML DOM nodes when pages were rendered. The change was made after `v1.5` and was not noticed. This allowed an attacker to inject malicious HTML markup using a discussion title input, either by creating a new discussion or renaming one. The XSS attack occurs after a visitor opens the relevant discussion page. All communities running Flarum from v1.5.0 through v1.6.1 are impacted. The vulnerability has been fixed and published as flarum/core and flarum/framework `v1.6.2`. All communities running Flarum from v1.5.0 through v1.6.1 have to upgrade as soon as possible to v1.6.2. There are no known workarounds for this issue.
- LOW
- NETWORK
- LOW
- CHANGED
- REQUIRED
- LOW
- LOW
- NONE
CWE-79 - Cross Site Scripting
Cross-Site Scripting, commonly referred to as XSS, is the most dominant class of vulnerabilities. It allows an attacker to inject malicious code into a pregnable web application and victimize its users. The exploitation of such a weakness can cause severe issues such as account takeover, and sensitive data exfiltration. Because of the prevalence of XSS vulnerabilities and their high rate of exploitation, it has remained in the OWASP top 10 vulnerabilities for years.
Advisory Timeline
- Published