SB2021060601 - Cross-site scripting in Flarum
Published: June 6, 2021 Updated: April 20, 2026
Security Bulletin ID
SB2021060601
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Cross-site scripting (CVE-ID: CVE-2021-32671)
The vulnerability allows a remote attacker to execute arbitrary script code in a victim's browser.
The vulnerability exists due to cross-site scripting in the translation system when rendering user-supplied input as HTML DOM nodes. A remote attacker can submit malicious HTML markup to execute arbitrary script code in a victim's browser.
The issue can be triggered through certain user input fields, including the forum search box, and may allow actions to be performed on behalf of the victim.
Remediation
Install update from vendor's website.