CVE-2022-41938

Name of the Vulnerable Software and Affected Versions Flarum versions 1.5.0 through 1.6.1

Description The issue arises from Flarum's page title system, which allowed page titles to be converted into HTML DOM nodes when pages were rendered. This enabled an attacker to inject malicious HTML markup using a discussion title input, either by creating a new discussion or renaming one. The attack occurs after a visitor opens the relevant discussion page. All communities running the affected versions are impacted.

Recommendations For versions 1.5.0 through 1.6.1, upgrade to version 1.6.2 as soon as possible. To upgrade, use the command composer update --prefer-dist --no-dev -a -W, and then confirm the latest version using composer show flarum/core.