Clarkwinkelmann

**Name of the Vulnerable Software and Affected Versions** Flarum versions v1.3.0 through v1.6.3 **Description** The issue occurs when the first post of a discussion is permanently deleted, but the discussion remains visible. This allows any actor who can view the discussion to create a new reply via the REST API, regardless of reply permission or lock status. The vulnerability is caused by the `first post id` attribute becoming `null`, which skips access control for new replies. Discussions must have at least one approved reply for this vulnerability to be exploitable. This can lead to uncontrolled spam or unintentional replies, and potentially be used to send unsolicited emails. **Recommendations** For versions v1.3.0 through v1.6.3, upgrade to flarum/core v1.6.3 as soon as possible using `composer update --prefer-dist --no-dev -a -W`. As a temporary workaround, consider deleting the discussion itself or manually setting a `first post id` in the database to prevent exploitation. If you don't delete the first posts, you are not affected by this issue.

Name of the Vulnerable Software and Affected Versions: Flarum Sticky extension versions 0.1.0-beta.14 through 0.1.0-beta.15 Description: The Flarum Sticky extension has a cross-site scripting vulnerability. A change in release beta 14 caused the plain text content of the first post of a pinned discussion to be injected as HTML on the discussion list. Any HTML would be injected through the `m.trust()` helper, resulting in an HTML injection where `<script>` tags would not be executed, but it was possible to run javascript from other HTML attributes, enabling a cross-site scripting (XSS) attack to be performed. Since the exploit only happens with the first post of a pinned discussion, an attacker would need the ability to pin their own discussion, or be able to edit a discussion that was previously pinned. On forums where all pinned posts are authored by staff, you can be relatively certain the vulnerability has not been exploited. Forums where some user-created discussions were pinned can look at the first post edit date to find whether the vulnerability might have been exploited. Recommendations: For versions 0.1.0-beta.14 and 0.1.0-beta.15, update to version v0.1.0-beta.16 or v0.1.0-beta.15.1 of the Sticky extension. As a temporary workaround, consider disabling the Sticky extension until a patch is available.