CVE-2021-21283

Name of the Vulnerable Software and Affected Versions: Flarum Sticky extension versions 0.1.0-beta.14 through 0.1.0-beta.15

Description: The Flarum Sticky extension has a cross-site scripting vulnerability. A change in release beta 14 caused the plain text content of the first post of a pinned discussion to be injected as HTML on the discussion list. Any HTML would be injected through the m.trust() helper, resulting in an HTML injection where <script> tags would not be executed, but it was possible to run javascript from other HTML attributes, enabling a cross-site scripting (XSS) attack to be performed. Since the exploit only happens with the first post of a pinned discussion, an attacker would need the ability to pin their own discussion, or be able to edit a discussion that was previously pinned. On forums where all pinned posts are authored by staff, you can be relatively certain the vulnerability has not been exploited. Forums where some user-created discussions were pinned can look at the first post edit date to find whether the vulnerability might have been exploited.

Recommendations: For versions 0.1.0-beta.14 and 0.1.0-beta.15, update to version v0.1.0-beta.16 or v0.1.0-beta.15.1 of the Sticky extension. As a temporary workaround, consider disabling the Sticky extension until a patch is available.