Primary

Context

Discourse Cross-Site Scripting Vulnerability in Social Login OAuth Flow

Vulnerability

Patched

A cross-site scripting (XSS) vulnerability has been identified in Discourse, an open-source discussion platform, affecting versions prior to 3.5.0.beta6. The issue arises when the content security policy (CSP) is not enabled during social login OAuth failure flow, allowing for user-provided query parameters to be exploited. Discourse version 3.5.0.beta6 addresses this vulnerability. Users can enable the content security policy as a workaround.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Remediation

Users can upgrade to Discourse version 3.5.0.beta6 or later to address this vulnerability. As an additional step, enabling the content security policy can help mitigate the issue.

Added: Jun 25, 2025, 2:26 PM

Updated: Jun 25, 2025, 2:26 PM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

1.7

exploitability

4.4

remediation

8.3

relevance

0.2

threat

0.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

1.7

exploitability

4.4

remediation

8.3

relevance

0.2

threat

0.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Discourse Cross-Site Scripting Vulnerability in Social Login OAuth Flow

Vulnerability

Impact

Remediation

Affected Products

Discourse

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating