Flarum Nicknames Extension Display Name Injection Vulnerability

A vulnerability exists in the Flarum forum software when the flarum/nicknames extension is active. It allows registered users to set nicknames that include strings interpreted as hyperlinks by email clients. These nicknames are sent verbatim in plain-text notification emails, potentially misleading recipients into visiting attacker-controlled websites. This issue affects Flarum Nicknames versions prior to 1.8.3.

Impact

Exploitation of this vulnerability could lead to phishing or social engineering attacks, as recipients may be tricked into clicking links that appear to come from a trusted source.

Reproduction

To reproduce this vulnerability, enable the flarum/nicknames extension and set a nickname that includes a hyperlink, such as 'nasty.com' or '[CLICK](https://evil.com)'. Then, trigger a notification email to another user. In the case of 'nasty.com', the link will appear clickable in most email clients. For the markdown link example, 'CLICK' will be a clickable link in email clients that render markdown.

Remediation

Users can update to Flarum Nicknames version 1.8.3 or later, where this vulnerability has been fixed.