SB2025060974 - Multiple vulnerabilities in Discourse



SB2025060974 - Multiple vulnerabilities in Discourse

Published: June 9, 2025 Updated: July 1, 2026

Security Bulletin ID SB2025060974
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Resource exhaustion (CVE-ID: CVE-2025-48053)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in bot private message URL handling when processing a malicious URL sent in a private message to a bot user. A remote user can send a specially crafted private message containing a malicious URL to cause a denial of service.


2) Cross-site scripting (CVE-ID: CVE-2025-48062)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to inject HTML into the email body and disclose sensitive information.

The vulnerability exists due to improper neutralization of input during web page generation in invite email templates when including a topic title containing HTML in invitation emails. A remote user can invite someone to a private message or to a topic with a custom message using a crafted topic title to inject HTML into the email body and disclose sensitive information.

The issue affects certain invitations sent to recipients without an account.


3) Cross-site scripting (CVE-ID: CVE-2025-48877)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary JavaScript in the iframe scope.

The vulnerability exists due to improper neutralization of active content in embedded CodePen iframe handling when rendering user-supplied embedded CodePen content. A remote user can include a crafted CodePen embed to execute arbitrary JavaScript in the iframe scope.

The issue is related to CodePen being present in the default allowed_iframes site setting.


Remediation

Install update from vendor's website.