Cross-site Scripting (XSS) - Stored at discussion title in flarum/framework


Reported on

Nov 17th 2022


Attacker can inject XSS payload in title when he starts or renames a discussion. The payload will be triggered right after a normal user open that discussion.

Proof of Concept

1. Login to your account on
2. Create **New Discussions**
3. On the Discussions Title, enter payload: <img src=x onerror=alert(document.domain)>
4. Click **Post Discussions** then XSS will trigger.

PoC image


If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user.

We are processing your report and will contact the flarum/framework team within 24 hours. 12 days ago
We have contacted a member of the flarum/framework team and are waiting to hear back 11 days ago
flarum/framework maintainer has acknowledged this report 11 days ago
David Wheatley modified the Severity from High (7.5) to Critical (9) 11 days ago
David Wheatley
11 days ago

Thank you for reporting this vulnerability.

We're currently in the process of patching this within our code. We ask that you keep information about this vulnerability private until we have released and publicly announced the vulnerability.

Could you please provide your:

  • GitHub username (if you want credit for discovery on a GitHub Security Advisory/CVE)
  • Flarum Discuss username (if you wish to be mentioned in the announcement)
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
David Wheatley validated this vulnerability 11 days ago
Vũ Hải Đăng has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
David Wheatley marked this as fixed in 1.6.2 with commit ed0cee 11 days ago
David Wheatley has been awarded the fix bounty
This vulnerability will not receive a CVE
David Wheatley
11 days ago

Thanks again for reporting this security issue responsibly!

This security vulnerability has been patched in v1.6.2, and a GitHub Security Advisory has been generated here:

We have requested a CVE through GitHub to remain consistent with our previous security reports. This should be done within the next week.

David Wheatley
11 days ago

@admin Could we publish this without a CVE, please? I'm not sure if deselecting the "This vulnerability affects distributable code, not a website (triggers CVE)" checkbox will cause other issues, other than not allocating a CVE. If not, I can just do it myself.

Vũ Hải Đăng
10 days ago


Wow that was a fast patch. My GitHub username is @dangzed, I don't have a Flarum Discuss name. Thank you for requesting CVE.

Vũ Hải Đăng
10 days ago


Now a GitHub Security Advisory has been generated, could I public this vulnerability on my blog ?

David Wheatley
10 days ago

Yeah, go for it! Feel free to link to the GHSA, our discussion on Flarum Discuss about the vulnerability/patch, or our GitHub in general (totally optional, by the way!).

I've asked that your GitHub account is added to be credited for the vuln. You should get an email from GitHub within the next 48 hours asking that you accept credit (up to you) for the vulnerability.

If you accept, a label will be shown under your name with "1 security advisory credited", and your GitHub profile will be linked from the security advisory.

Thanks again for reporting this! :)

Vũ Hải Đăng
10 days ago


No problem at all! Thank you for your response

8 days ago


Hi David! Yeah the checkbox only enables/disables the CVE so you can safely publish this vulnerability by unselecting the checkbox :)

David Wheatley
8 days ago

Cool, thanks!

David Wheatley published this vulnerability 8 days ago
to join this conversation