Metrics
Affected Vendors & Products
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
Thu, 25 Sep 2025 20:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
CPEs | cpe:2.3:a:discourse:discourse:*:*:*:*:beta:*:*:* cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:* cpe:2.3:a:discourse:discourse:3.5.0:beta1:*:*:beta:*:*:* cpe:2.3:a:discourse:discourse:3.5.0:beta2:*:*:beta:*:*:* cpe:2.3:a:discourse:discourse:3.5.0:beta3:*:*:beta:*:*:* cpe:2.3:a:discourse:discourse:3.5.0:beta4:*:*:beta:*:*:* |
|
Metrics |
cvssV3_1
|
Fri, 11 Jul 2025 13:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
epss
|
epss
|
Mon, 09 Jun 2025 16:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Mon, 09 Jun 2025 13:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Discourse is an open-source discussion platform. Prior to version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch, Codepen is present in the default `allowed_iframes` site setting, and it can potentially auto-run arbitrary JS in the iframe scope, which is unintended. This issue is patched in version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch. As a workaround, the Codepen prefix can be removed from a site's `allowed_iframes`. | |
Title | Discourse vulnerable to auto-executing of third-party code in embedded CodePen iframe | |
Weaknesses | CWE-1038 | |
References |
| |
Metrics |
cvssV4_0
|

Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2025-06-09T15:17:08.586Z
Reserved: 2025-05-27T20:14:34.296Z
Link: CVE-2025-48877

Updated: 2025-06-09T15:15:00.624Z

Status : Analyzed
Published: 2025-06-09T13:15:23.500
Modified: 2025-09-25T20:27:42.407
Link: CVE-2025-48877

No data.

Updated: 2025-06-24T09:44:11Z