Discourse is an open-source discussion platform. Versions prior to 3.5.0.beta6 are vulnerable to cross-site scripting when the content security policy isn't enabled when using social logins. Version 3.5.0.beta6 patches the issue. As a workaround, have the content security policy enabled.
Metrics
Affected Vendors & Products
References
History
Mon, 25 Aug 2025 15:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
CPEs | cpe:2.3:a:discourse:discourse:*:*:*:*:beta:*:*:* cpe:2.3:a:discourse:discourse:3.5.0:-:*:*:beta:*:*:* cpe:2.3:a:discourse:discourse:3.5.0:beta1:*:*:beta:*:*:* cpe:2.3:a:discourse:discourse:3.5.0:beta2:*:*:beta:*:*:* cpe:2.3:a:discourse:discourse:3.5.0:beta3:*:*:beta:*:*:* cpe:2.3:a:discourse:discourse:3.5.0:beta4:*:*:beta:*:*:* cpe:2.3:a:discourse:discourse:3.5.0:beta5:*:*:beta:*:*:* |
Wed, 25 Jun 2025 15:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Wed, 25 Jun 2025 14:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Discourse is an open-source discussion platform. Versions prior to 3.5.0.beta6 are vulnerable to cross-site scripting when the content security policy isn't enabled when using social logins. Version 3.5.0.beta6 patches the issue. As a workaround, have the content security policy enabled. | |
Title | Discourse vulnerable to XSS via user-provided query parameter in oauth failure flow | |
Weaknesses | CWE-79 | |
References |
| |
Metrics |
cvssV3_1
|

Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2025-06-25T14:19:13.945Z
Reserved: 2025-05-28T18:49:07.585Z
Link: CVE-2025-48954

Updated: 2025-06-25T14:18:11.064Z

Status : Analyzed
Published: 2025-06-25T14:15:24.777
Modified: 2025-08-25T15:04:57.583
Link: CVE-2025-48954

No data.

Updated: 2025-07-06T22:16:28Z