CVE-2022-41938

Published: Nov 19, 2022

Modified: Apr 23, 2025

PUBLISHED

CVSS v3.1

9.0

CRITICAL

Description

Flarum is an open source discussion platform. Flarum's page title system allowed for page titles to be converted into HTML DOM nodes when pages were rendered. The change was made after `v1.5` and was not noticed. This allowed an attacker to inject malicious HTML markup using a discussion title input, either by creating a new discussion or renaming one. The XSS attack occurs after a visitor opens the relevant discussion page. All communities running Flarum from `v1.5.0` to `v1.6.1` are impacted. The vulnerability has been fixed and published as flarum/core `v1.6.2`. All communities running Flarum from `v1.5.0` to `v1.6.1` have to upgrade as soon as possible to v1.6.2. There are no known workarounds for this issue.

Vendor	Product	Versions
flarum	framework	affected `>= 1.5.0, < 1.6.2`

Weaknesses (CWE)

CWE-79

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/flarum/framework/security/advisories/GHSA-7x4w-j98p-854x

https://github.com/flarum/framework/commit/690de9ce0ffe7ac4d45b73e303f44340c3433138

https://discuss.flarum.org/d/27558

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2022-41938

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References