CVE-2021-32671

Name of the Vulnerable Software and Affected Versions Flarum versions 1.0.0 through 1.0.1

Description The issue arises from Flarum's translation system, which allowed string inputs to be converted into HTML DOM nodes when rendered. This enabled users to input malicious HTML markup within certain fields, executing it on client browsers. For example, entering <script>alert('test')</script> in the forum search box resulted in an alert box appearing. This attack could be modified to perform AJAX requests, potentially deleting discussions, modifying user settings or profiles, or even modifying Admin panel settings if targeted at a privileged user.

Recommendations To resolve the issue, upgrade to Flarum/core version 1.0.2 as soon as possible. This can be done using the command composer update --prefer-dist --no-dev -a -W, and then confirm the latest version is installed with composer show flarum/core.