Discourse
Easy fix2 remedies
cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*
Easy fix2 remedies
- <= 3.5.0.beta7-dev
Discourse Welcome Banner User Name XSS Vulnerability
Vulnerability
Patched
A cross-site scripting (XSS) vulnerability has been identified in the welcome banner user name string for logged-in users on Discourse. This issue can affect the user themselves or an admin impersonating them. The vulnerability arises because the welcome banner can be manipulated to include HTML, which is then rendered, creating an XSS risk. Admins can temporarily remove the 'preferred_display_name' placeholder from the welcome banner text to mitigate this issue, or avoid impersonating users.
Impact
Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.
Reproduction
To reproduce this vulnerability, an admin can change the welcome banner text to include a logged-in user's name with embedded HTML, such as an input tag. This will render the HTML in the banner, creating an XSS vulnerability for the user or an admin impersonating them.
Remediation
Users can update to Discourse version 3.5.0.beta8 or later, where this vulnerability has been patched.
Added: Aug 19, 2025, 5:23 PM
Updated: Aug 19, 2025, 5:23 PM
Vulnerability Rating
Custom Algorithm
spread
2.4impact
1.7exploitability
4.0remediation
8.3relevance
0.4threat
4.8urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.