If you have not yet updated to v1.6.3 or later, do so immediately. The details of the vulnerabilities are public, and your forum could be maliciously exploited.
v1.6.3 has been released to address 3 security vulnerabilities reported by @clarkwinkelmann.

⚠️ Affected versions:
Two of the vulnerabilities affect all versions below v1.6.3.
One affect all versions between v1.3.0 and v1.6.2.

Upgrade instructions:

# Update to latest version
composer update --prefer-dist --no-dev -a -W

Verify that you're on v1.6.3

composer show flarum/core

Clear cache

php flarum cache:clear

---

Preface

⚠️ Post mentions can be used to read any post on the forum without access control (High Severity)

On December 27th, 2022, we received a report of a high confidentiality vulnerability in Flarum mentions through huntr.dev, affecting all versions below v1.6.3.

Impact
The mentionsPosts relationship included in the POST /api/posts and PATCH /api/posts/<id> JSON responses leaks the full JSON:API payload of all mentioned posts without any access control. This includes the content, date, number and attributes added by other extensions.

The attack allows the leaking of all posts in the forum database, including posts awaiting approval, posts in tags the user has no access to, and private discussions created by other extensions like FriendsOfFlarum Byobu. This also includes non-comment posts like tag changes or renaming events.
All Flarum versions prior to v1.6.3 are affected.
The details of this vulnerability were disclosed on the Flarum Discord's team channel at 00:07 UTC. The vulnerability's CVE score was 7.7, which is a high CVE score.

CVSS
The estimated CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, resulting in a CVE score of 7.7. See the CVSS score breakdown.

A security advisory has been published on GitHub detailing information of the vulnerability: https://github.com/flarum/framework/security/advisories/GHSA-22m9-m3ww-53h3. Waiting for a CVE to be issued.

Workarounds
Disable the mentions extension.

⚠️ Notifications can leak restricted content (Moderate Severity)

On December 29th, 2022, we received a report of a moderate confidentiality vulnerability in Flarum core through the discord server private channel, affecting all versions below v1.6.3.

Impact
The notification-sending component does not check that the subject of the notification can be accessed by the receiver, and proceeds to send notifications through their different channels. The alerts do not leak data despite this as they are listed based on a visibility check, however, emails are still sent out.

This means that, for extensions which restrict access to posts, any actor can bypass the restriction by subscribing to the discussion if the Subscriptions extension is enabled.
The attack allows the leaking of some posts in the forum database, including posts awaiting approval, posts in tags the user has no access to if they could subscribe to a discussion before it becomes private, and posts restricted by third-party extensions.
All Flarum versions prior to v1.6.3 are affected.
The details of this vulnerability were disclosed on the Flarum Discord's team channel at 13:12 UTC. The vulnerability's CVE score was 6.8, which is a moderate CVE score.

CVSS
The estimated CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N, resulting in a CVE score of 6.8. See the CVSS score breakdown.

A security advisory has been published on GitHub detailing information of the vulnerability: https://github.com/flarum/framework/security/advisories/GHSA-8gcg-vwmw-rxj4. Waiting for a CVE to be issued.

Workarounds
Disable the Flarum Subscriptions extension or disable email notifications altogether.

There is no other supported workaround for this issue for Flarum versions below 1.6.3.

⚠️ Any user can reply in public discussions whose first post was permanently deleted (Low Severity)

On December 29th, 2022, we received a report of a low integrity vulnerability in Flarum core through through huntr.dev, affecting versions between v1.3.0 and v1.6.3.

Impact
If the first post of a discussion is permanently deleted but the discussion stays visible, any actor who can view the discussion is able to create a new reply via the REST API, no matter the reply permission or lock status. This includes users that don't have a validated email.

Flarum automatically makes discussions with zero comments invisible so an additional condition for this vulnerability is that the discussion must have at least one approved reply so that discussions.comment_count is still above zero after the post deletion.
This can open the discussion to uncontrolled spam or just unintentional replies if users still had their tab open before the vulnerable discussion was locked and then post a reply when they shouldn't be able to.
In combination with the email notification settings, this could also be used as a way to send unsolicited emails.
Versions between v1.3.0 and v1.6.3 are impacted.
The vulnerability's CVE score was 3.5, which is a low CVE score.

CVSS
The estimated CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N, resulting in a CVE score of 3.5. See the CVSS score breakdown.

A security advisory has been published on GitHub detailing information of the vulnerability: https://github.com/flarum/framework/security/advisories/GHSA-hph3-hv3c-7725. Waiting for a CVE to be issued.

Workarounds
If you don't delete the first posts you are not affected. A workaround can be to delete the discussion itself, or amend the database to manually set a first_post_id.

---

How were the vulnerabilities fixed?

These were patched through a combination of efforts from multiple developers in the past couple of weeks and pushed to the core's release/v1.6.3 branch on the 10th of January 2023 around 12:00 UST. After verifying that the patch worked as expected and didn't have noticeable effects on other areas of core and bundled extensions, it was released as v1.6.3 on the same day an hour later.

What did we do right?

Available core developers looked into reports and discussed to patch the vulnerabilities one by one as soon as possible, an initial patch was proposed within a day and subsequent patches were proposed the week following it. With all approvals being acquired by the 9th January 2023.

What could we improve?

It took longer than usual to get a full patch ready and released, but this is mostly due to the fact this was a time of holiday for most of our team, but also because there were multiple (3) vulnerabilities we had to look into and our decision to fix them all in one patch.

How can we prevent this from happening again?

While we have made incredible progress in our backend test coverage, there is definitely a lot more that can be done. We need to invest more time into adding more backend tests so that issues such as these are caught earlier.⚠️

Hey,
With v1.6 released, time to move onto v1.7
We will try to post updates on the roadmap progress in this cycle.

v1.6.0 - Kookaburra

---

📣 The Release

---

We are happy to announce the release of v1.6, not the biggest release but sizeable and important regardless:

• 🤙 You can now mention groups, like me mentioning @Flarum Team (flarum/framework#3658) - Bounty
• 📈 Statistics extension now supports custom date ranges (flarum/framework#3622)
• 📈 Statistics extension now allows exporting the graph (flarum/framework#3662)
• 🧩 Using an automated installer, you can now choose extensions to enable (flarum/framework#3655)
• 📧 Notifications for approved posts are now properly sent out (flarum/framework#3656) - Bounty
• 👯 Group edit modal now contains a color preview input field (flarum/framework#3650)
• 🐛 Many bugs have been squashed.
• ♿️ Accessibility improvements have been made.
• 🧑‍💻 And much much more...

👨‍💻 For Developers

---

Extensions compatible with 1.5 should still operate on Flarum 1.6 without any changes.

⤴️ Upgrading

---

Before you upgrade, make sure to create a backup of your public/assets directory, your composer.json and your database!

Before starting the upgrade process, ensure you are on Flarum 1.0.0 or above in your Admin Dashboard or by typing php flarum info. If you're not, use the previous release announcement for upgrading from an earlier version.
To upgrade from 1.0 or 1.5 to 1.6, take a look at our upgrade guide documentation. The process should be much easier compared to previous major version upgrades, due to the lack of breaking changes.

If you run into any issues, please open a new discussion under the Support tag. Ignore similar discussions and open a new one anyhow. Make sure to mention the output of php flarum info, composer why-not flarum/core v1.6.0, and any errors to their fullest.

😇 Thanks to our Sponsors

---

Financial donations keep Flarum alive and kicking. The following companies and people deserve credit for making Flarum sustainable:

• Glowing Blue AG
• Sridhar Kamma
• Lincoln Russell
• Bart van Bragt
• Lurker
• Circuit Dojo
• David Wheatley
• Timotheus Pokorra
• Edmilerad
• ange1k
• S4 Hosting
• Seaborn
• Alexander Skvortsov
• Paulina
• Jai Gupta
• Matt Kilgore
• Guoqing
• Miguel A. Lago
• LianSheng
• Soobin Rho
• PapaFig1
• Nsustain

Thank you to all the Supporters, backing us through Discuss:
@v17development and @waca !

Special thanks for all the Devotees (people pledging to our bounties in the Proposals tag), you are driving a lot of new features! These people have helped ship a new feature in this release with their pledge:
@datlechin @Darkle @SKevo @GreXXL @pkernstock @Lurker @CyberGene @meihuak .

Thanks for being awesome 😍 !

🙇‍♀️ Acknowledgements

---

Flarum wouldn't be the same without our over one hundred contributors, along with their generous time commitments! For this release we specifically thank these wonderful people:

• The non-team contributors that usually tackle unplanned, but extremely welcomed bugs or overhauls. We absolutely love contributions that help us move forward, so thank you very much:
  @datlechin @ornanovitch @iPurpl3x.
• The core and staff team contributors, people that have vast knowledge of the code base who sacrifice their free time to bring the awesome Flarum software to you, for free. Thank you so much:
  @askvortsov @SychO @davwheat @luceos @ianm @clarkwinkelmann
• The community staff is the foundation to a warm and welcoming community. Many cheers for all you do:
  @jordanjay29 @Prosperous @GreXXL
• The well-oiled machine that is the translation team, keeping up with new languages, their maintainers and the translations perfectly well. Very, very much appreciated:
  @GreXXL @Justoverclock @rob006
• All our additional staff who all help us where we need it most:
  @tankerkiller125 @Deebug @katos @victorparedes.
• A great shout out to everyone who's submitted carefully described issues and suggestions, especially:
  @ornanovitch @orschiro.
• And the whole community sharing their passion for Flarum, urging us on!

🆘 Support the Project

---

We need your support to:

• Guarantee continued development on the software.
• Create a valuable ecosystem around the project.
• Ensure healthy extensions are available.

You can support us:

• 👕 By getting some swag from our merchandise store!
• 💵 By becoming a Supporter or Sponsor on Discuss, backing us on Open Collective or on GitHub.
• 🤟 By supporting new features with your pledge in our Proposals tag.
• 👩‍💻 By contributing to the source code, hop onto any of our open issues.
• 📈 By creating your own Flarum extensions and sharing them with the world!
• 🌎 By translating Flarum and extensions into your own language.
• 💝 By sharing your love for Flarum with friends, family and on the internet.
• 💬 By hanging out with us, here on discuss!

For installation instructions check our installation documentation. If you are interested in developing extensions for Flarum, check the extend section there.

📖 Introduction

Welcome to our newest community update. In this edition we want to show you the versitlity of Flarum as a multi-language forum patform. Also - like you are already used to - we will share interesting updates on the Flarum ecosystem, including the newest plugin additions and active bountries. In Edition 4 of our community updates 2022 we featured a overview about push notifications and mobile app support. Feel free to skip back to this post in case you are interested. But now lets move on to our newest update.

---

🗣️ Multi-language in Flarum! What are the options?

Many message boards have a target audience speaking different languages. Support for multiple languages is, therefore, at the heart of much good software. But supporting different languages as variables for text does not make for a good multi-language community. Many extensions are available that help you customise your community for a truly multilingual experience. But before we go there, let's start with language support in Flarum first.

🌐 Flarum Lang

With the Flarum Language Project, we started to get more of the available translations under a common roof. Those languages are also available on Weblate. This web-based platform allows you to contribute to all available languages to get new extensions translated or improve translations. Of course existing or new languages are always welcome to join the project. All contributions are welcomed!
Find all 40 available languages on the GitHub Project. A big thank you needs to be sent to all the many language pack maintainers and contributors.

🧩 Extensions

While Flarum offers great support for different languages to be installed in one installation, there are many extensions out there that greatly improve the handling of multi-languages.

Discussion Language by @FriendsOfFlarum

This extension allows one to assign a language to discussions, allowing one to filter content by language. There are many neat features like language auto-detect to assist users in finding what they are looking for.
Find out more on the extensions page.

Localizd by @glowingblue

This premium extension extends Flarum to add support for translating core features into different languages. This includes the Forum description as well as, most importantly, Tags. This allows users to change the Forum to the language of their desire completely.
Find out more on the extensions page.

Translate by @ianm

Another premium extension allows the automatic language detection and translation of discussions and posts. This allows users to easily view the complete content a multi-language has to offer and does not limit them to the languages they speak. Asides from the extension, a professional language translation service like Google Translate or DeepL is needed. Both offer free limits to get this started, though.
Find out more on the extensions page.

Other extensions

Of course, we also need to mention the FoF Linguist extension and the Translation Inspector, which are both useful tools to improve the languages of Flarum or modify them to the specific needs of your community.

🧪 Samples

Now one might argue that this is theoretically very nice but is there any bigger community out there using this in the real world? I am really happy to say yes! Also, this community has been highlighted in a previous community update already! You can read the interview of @Dany and visit the community.

📰 Other News

Flarum released Version 1.6, including the first two bounties successfully funded and implemented. Please also note that a critical security update has been released for affected version 1.5.x to 1.6.1. Work on the next version, 1.7 has already started.
Also on date of publishing this article there are currently different promotions running for Black Friday offering some big discounts on premium extensions worth checking out.

🏴‍☠️ Active Bounties:

• Mentioning Tags has been picked up by @ianm to be implemented in 1.7 but still happily takes supporters.
• Improving FoF Spamblock still looking for funding and implementation
• Turnstile Captcha has been picked up by @ianm to be implemented but still happily takes supporters
• Federation Extension has been picked up by @luceos but still needs a lot of funding

🕸️ Extension Highlights

• Sudo Mode by @clarkwinkelmann to protect sensible areas of Flarum administration
• Post Stream Search by @clarkwinkelmann allowing easy search within a discussion

---

🏁 Final words

We hope you have liked this edition of “Community Updates”. Looking forward to your comments and ideas for future updates. We are going to pickup speed again and hope to see you soon on the next edition of Community Updates.

If you have not yet updated to v1.6.2 or later, do so immediately. The details of the vulnerability are public, and your forum could be maliciously exploited.
Affected versions:

• v1.5.0 to v1.6.1 - ⚠️ Affected
• v1.4.1 and below - ✅ Not affected

Upgrade instructions:

# Update to latest version
composer update --prefer-dist --no-dev -a -W

# Verify that you're on v1.6.2
composer show flarum/core

# Clear cache
php flarum cache:clear

---

Preface

On Friday 18 November 2022 at 11:57 UTC, we received a report of a critical cross-site scripting (XSS) vulnerability in Flarum core through huntr.dev, affecting versions from v1.5.0 to v1.6.1.
This vulnerability is related to the process of setting page titles client and server side, and the possible conversion of title strings into HTML DOM nodes.
The details of this vulnerability were disclosed on the Flarum Discord's team channel at 12:08 UTC. The vulnerability's CVE score was 9.0, which is an extremely high CVE score.
This was patched through a combination of efforts from multiple developers and pushed to the core's main branch at 21:09 UTC. After verifying that the patch worked as expected and didn't have noticeable effects on other areas of core and bundled extensions, it was released as v1.6.2 at 22:21 UTC.

What caused the vulnerability?

Flarum's page title system allowed for discussion title inputs to be converted into HTML DOM nodes when rendered (visiting a discussion page). This change was made in v1.5.0 and was not noticed.
This allowed for any user to type malicious HTML markup within discussion title user input, either through a new discussion o renaming an existing one, and have this execute on client browsers. Entering faux-malicious HTML markup, such as <img src=x onerror=alert(document.domain)> resulted in an alert box appearing on the forum. This attack could also be modified to perform AJAX requests on behalf of a user, possibly deleting discussions, modifying their settings or profile, or even modifying settings on the Admin panel if the attack was targeted towards a privileged user.
The estimated CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H, resulting in a CVE score of 9. See the CVSS score breakdown.
A security advisory has been published on GitHub detailing information of the vulnerability: https://github.com/flarum/framework/security/advisories/GHSA-7x4w-j98p-854x. Waiting for a CVE to be issued.

CVSS breakdown

Attack vector: network
This attack is performed over a network without physical or local access required. The network does not have to be adjacent.

Attack complexity: low
The attack can be performed relatively simply and affected all forums, despite their individual configurations. It is repeatable under all conditions.

Privileges required: low
On a default installation of Flarum, users can create discussions after confirming their email address. This means that the only permissions required to exploit this vulnerability are a confirmed user account.

User interaction: required
For the vulnerability to be exploited, a user must open the malicious discussion within their browser.

Scope: changed
The vulnerable component is the Flarum forum. The impacted component is the user's browser, therefore the scope has changed.

Confidentiality impact: high
An impacted user's details could be fully retrieved by the attacker via a malicious AJAX request.

Integrity impact: high
An impacted user's details could be changed by the attacker via a malicious AJAX request.

Availability impact: high
If a forum administrator was impacted, a malicious AJAX request could modify forum settings on the Admin dashboard and result in a full forum denial of service. This could be by injecting broken Javascript code into the custom header resulting in a broken forum frontend.

How was the vulnerability fixed?

When setting the page title, we now prevent having the title evaluated through a temporary HTML element that was previously used to properly display raw HTML entities. This temporary element was within the scope of the browser's window, hence would execute Javascript within it and could access secrets within the page's Javascript scope (such as browser cookies).
Now, we use a DOMParser which has scripting disabled and is in a separate context from the window element. This prevents XSS attacks and allows raw HTML entities to be properly displayed. A more appropriate fix for the raw entities display issue will be looked into in further releases (see flarum/framework#3685).
For more info, please see the commit that fixes this vulnerability: flarum/[email protected]ed0cee9

What did we do right?

All available core developers jumped on the report to patch the vulnerability as soon as possible, an initial patch was proposed within a couple of hours and a final patch received the first approval within 7 hours, after thoroughly looking for the root cause and how it was introduced in the first place.

What could we improve?

At the time of the discovery, no online developers had the ability to draft a security disclosure on GitHub. This would have provided us with a secure way to attempt to develop a patch together and review the code more easily. Instead, we used a public PR which is less than ideal.
At the time of release, we struggled for some time with branching off and sub splitting from our monorepo for a lack of documentation and expanded use in our CLI utility.

How can we prevent this from happening again?

A JavaScript automated test suite could have helped pick up on the introduced issue which was not noticed during reviews. There is already work in progress in implementing Jest for one of the next releases. Automated tests will have a massive effect on avoiding these problems in the future.