CVE-2022-30999 is a cross-site scripting (XSS) vulnerability identified in the FriendsOfFlarum (FoF) Upload extension, a popular plugin used to manage file uploads in Flarum forums. The vulnerability affects versions prior to 1.2.3 when the extension is configured to allow uploading of SVG files with the MIME type 'image/svg+xml'. SVG files are XML-based vector images that can contain embedded JavaScript. In this vulnerable configuration, an attacker can upload a malicious SVG file containing arbitrary JavaScript code. When an authenticated user navigates directly to the URI of the uploaded SVG file, the embedded JavaScript executes in the context of the user's browser session. This script can perform unauthorized HTTP requests to the Flarum forum or other web services accessible by the user, potentially leading to data leakage or unauthorized data modification. The root cause is improper neutralization of input during web page generation (CWE-79), where the SVG content is not sanitized before being served. The issue was addressed in version 1.2.3 of FoF Upload by sanitizing uploaded SVG files to remove executable scripts. As a temporary mitigation, administrators can disable SVG uploads entirely to prevent exploitation. No known public exploits have been reported in the wild, but the vulnerability poses a risk especially in forums with authenticated users and where SVG uploads are enabled. The attack requires user interaction (visiting the malicious SVG URL) and authentication, but the impact includes potential compromise of confidentiality and integrity of user data within the forum environment.

For European organizations using Flarum forums with the FoF Upload extension configured to allow SVG uploads, this vulnerability could lead to unauthorized disclosure of sensitive forum data or manipulation of forum content through the execution of malicious scripts. Since the attack requires an authenticated user to visit the malicious SVG URL, insider threats or phishing campaigns targeting forum users could trigger exploitation. The impact on confidentiality is significant as attackers could exfiltrate private messages or user credentials via crafted HTTP requests. Integrity could also be compromised if attackers modify forum posts or user data. Availability impact is limited but could occur if malicious scripts disrupt normal forum operations. Given that Flarum is used by various communities and organizations across Europe, including those in sectors such as education, government, and private enterprises, exploitation could undermine trust and lead to reputational damage. The medium severity reflects the need for user interaction and authentication, but the potential for data leakage and manipulation warrants prompt remediation.

1. Upgrade the FoF Upload extension to version 1.2.3 or later, which includes proper sanitization of SVG files to neutralize embedded scripts. 2. If immediate upgrade is not feasible, disable the ability for users to upload SVG files via FoF Upload to eliminate the attack vector. 3. Implement strict Content Security Policy (CSP) headers on the forum web server to restrict execution of inline scripts and limit the domains from which scripts can be loaded, reducing the impact of any malicious SVG content. 4. Educate forum users about the risks of clicking on untrusted links, especially those pointing to SVG files. 5. Monitor forum logs for unusual access patterns to SVG files or suspicious HTTP requests originating from authenticated user sessions. 6. Conduct regular security audits of forum extensions and configurations to ensure no other unsafe file types or plugins are enabled. 7. Consider implementing web application firewalls (WAF) with rules to detect and block malicious SVG payloads or suspicious requests targeting the upload functionality.