CVE-2025-48954

MEDIUM6.1EPSS 10.1%

Discourse vulnerable to XSS via user-provided query parameter in oauth failure flow

發布日:2025/7/1修改日:2025/11/13

也稱為:GHSA-26p5-mjjh-wfcfBIT-discourse-2025-48954

描述

Discourse is an open-source discussion platform. Versions prior to 3.5.0 are vulnerable to cross-site scripting when the content security policy isn't enabled when using social logins. Version 3.5.0 patches the issue. As a workaround, have the content security policy enabled.

受影響套件(1)

Bitnami/discoursefrom 0, < 3.5.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

參考連結(2)

WEBhttps://github.com/discourse/discourse/security/advisories/GHSA-26p5-mjjh-wfcf
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2025-48954