Unrated severityNVD Advisory· Published Mar 17, 2023· Updated Feb 25, 2025

Discourse vulnerable to Cross-site Scripting - user name displayed on post

CVE-2023-25172

Description

Discourse is an open-source discussion platform. Prior to version 3.0.1 of the stable branch and version 3.1.0.beta2 of the beta and tests-passed branches, a maliciously crafted URL can be included in a user's full name field to to carry out cross-site scripting attacks on sites with a disabled or overly permissive CSP (Content Security Policy). Discourse's default CSP prevents this vulnerability. The vulnerability is patched in version 3.0.1 of the stable branch and version 3.1.0.beta2 of the beta and tests-passed branches. As a workaround, enable and/or restore your site's CSP to the default one provided with Discourse.

Affected products

Discourse (software)/Discoursev5
Range: stable < 3.0.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/discourse/discourse/commit/1a5a6f66cb821ed29a737311d6fdc2eba5adc915mitrex_refsource_MISC
github.com/discourse/discourse/commit/c186a46910431020e8efc425dec2133e7a99fa9amitrex_refsource_MISC
github.com/discourse/discourse/pull/20008mitrex_refsource_MISC
github.com/discourse/discourse/pull/20009mitrex_refsource_MISC
github.com/discourse/discourse/security/advisories/GHSA-7pm2-prxw-wrvpmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000