
A perfect example of Flarum's customizability. This highly customised Dutch developer community has a unique layout, with beautiful elements like a custom loader. Created by the author of the popular SEO and Support Platform extensions.
A perfect example of Flarum's customizability. This highly customised Dutch developer community has a unique layout, with beautiful elements like a custom loader. Created by the author of the popular SEO and Support Platform extensions.
As a leading British telephone network, giffgaff serves millions of customers. Through innovative use of Flarum, they've built up a passionate peer support community, improving support and engaging customers.
Leading provider of communication and entertainment in Switzerland. Their Flarum community creates a framework for healthy togetherness while supporting their customers with an appealing, user-friendly community experience.
⚠️ Affected versions:
Two of the vulnerabilities affect all versions below v1.6.3
.
One affect all versions between v1.3.0
and v1.6.2
.
# Update to latest version
composer update --prefer-dist --no-dev -a -W
Verify that you're on v1.6.3composer show flarum/core
Clear cachephp flarum cache:clear
v1.6.3
.Impact
The mentionsPosts
relationship included in the POST /api/posts
and PATCH /api/posts/<id>
JSON responses leaks the full JSON:API payload of all mentioned posts without any access control. This includes the content, date, number and attributes added by other extensions.
v1.6.3
are affected.CVSS
The estimated CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
, resulting in a CVE score of 7.7. See the CVSS score breakdown.
Workarounds
Disable the mentions extension.
v1.6.3
.Impact
The notification-sending component does not check that the subject of the notification can be accessed by the receiver, and proceeds to send notifications through their different channels. The alerts do not leak data despite this as they are listed based on a visibility check, however, emails are still sent out.
v1.6.3
are affected.CVSS
The estimated CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
, resulting in a CVE score of 6.8. See the CVSS score breakdown.
Workarounds
Disable the Flarum Subscriptions extension or disable email notifications altogether.
v1.3.0
and v1.6.3
.Impact
If the first post of a discussion is permanently deleted but the discussion stays visible, any actor who can view the discussion is able to create a new reply via the REST API, no matter the reply permission or lock status. This includes users that don't have a validated email.
discussions.comment_count
is still above zero after the post deletion.v1.3.0
and v1.6.3
are impacted.CVSS
The estimated CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
, resulting in a CVE score of 3.5. See the CVSS score breakdown.
Workarounds
If you don't delete the first posts you are not affected. A workaround can be to delete the discussion itself, or amend the database to manually set a first_post_id
.
release/v1.6.3
branch on the 10th of January 2023 around 12:00 UST. After verifying that the patch worked as expected and didn't have noticeable effects on other areas of core and bundled extensions, it was released as v1.6.3
on the same day an hour later.Before starting the upgrade process, ensure you are on Flarum 1.0.0 or above in your Admin Dashboard or by typingBefore you upgrade, make sure to create a backup of yourpublic/assets
directory, yourcomposer.json
and your database!
php flarum info
. If you're not, use the previous release announcement for upgrading from an earlier version.If you run into any issues, please open a new discussion under the Support tag. Ignore similar discussions and open a new one anyhow. Make sure to mention the output ofphp flarum info
,composer why-not flarum/core v1.6.0
, and any errors to their fullest.
Thank you to all the Supporters, backing us through Discuss:
@v17development and @waca !
Special thanks for all the Devotees (people pledging to our bounties in the Proposals tag), you are driving a lot of new features! These people have helped ship a new feature in this release with their pledge:
@datlechin @Darkle @SKevo @GreXXL @pkernstock @Lurker @CyberGene @meihuak .
# Update to latest version
composer update --prefer-dist --no-dev -a -W
# Verify that you're on v1.6.2
composer show flarum/core
# Clear cache
php flarum cache:clear
<img src=x onerror=alert(document.domain)>
resulted in an alert box appearing on the forum. This attack could also be modified to perform AJAX requests on behalf of a user, possibly deleting discussions, modifying their settings or profile, or even modifying settings on the Admin panel if the attack was targeted towards a privileged user.CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
, resulting in a CVE score of 9. See the CVSS score breakdown.Attack vector: network
This attack is performed over a network without physical or local access required. The network does not have to be adjacent.
Attack complexity: low
The attack can be performed relatively simply and affected all forums, despite their individual configurations. It is repeatable under all conditions.
Privileges required: low
On a default installation of Flarum, users can create discussions after confirming their email address. This means that the only permissions required to exploit this vulnerability are a confirmed user account.
User interaction: required
For the vulnerability to be exploited, a user must open the malicious discussion within their browser.
Scope: changed
The vulnerable component is the Flarum forum. The impacted component is the user's browser, therefore the scope has changed.
Confidentiality impact: high
An impacted user's details could be fully retrieved by the attacker via a malicious AJAX request.
Integrity impact: high
An impacted user's details could be changed by the attacker via a malicious AJAX request.
Availability impact: high
If a forum administrator was impacted, a malicious AJAX request could modify forum settings on the Admin dashboard and result in a full forum denial of service. This could be by injecting broken Javascript code into the custom header resulting in a broken forum frontend.
window
, hence would execute Javascript within it and could access secrets within the page's Javascript scope (such as browser cookies).DOMParser
which has scripting disabled and is in a separate context from the window element. This prevents XSS attacks and allows raw HTML entities to be properly displayed. A more appropriate fix for the raw entities display issue will be looked into in further releases (see flarum/framework#3685).ed0cee9
Learn how to harness the extensibility of Flarum to create your own extensions and customize your community.
Help us make Flarum even more powerful and customizable! Every bug report, pull request, and documentation improvement is a huge help.