CVE-2023-25172

Discourse vulnerable to Cross-site Scripting - user name displayed on post

Description

Discourse is an open-source discussion platform. Prior to version 3.0.1 of the `stable` branch and version 3.1.0.beta2 of the `beta` and `tests-passed` branches, a maliciously crafted URL can be included in a user's full name field to to carry out cross-site scripting attacks on sites with a disabled or overly permissive CSP (Content Security Policy). Discourse's default CSP prevents this vulnerability. The vulnerability is patched in version 3.0.1 of the `stable` branch and version 3.1.0.beta2 of the `beta` and `tests-passed` branches. As a workaround, enable and/or restore your site's CSP to the default one provided with Discourse.

Category

4.4
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.56%
Vendor Advisory github.com
Affected: discourse discourse
Published at:
Updated at:

References

Link Tags
https://github.com/discourse/discourse/security/advisories/GHSA-7pm2-prxw-wrvp vendor advisory
https://github.com/discourse/discourse/pull/20008 patch
https://github.com/discourse/discourse/pull/20009 patch
https://github.com/discourse/discourse/commit/1a5a6f66cb821ed29a737311d6fdc2eba5adc915 patch
https://github.com/discourse/discourse/commit/c186a46910431020e8efc425dec2133e7a99fa9a patch

Frequently Asked Questions

What is the severity of CVE-2023-25172?
CVE-2023-25172 has been scored as a medium severity vulnerability.
How to fix CVE-2023-25172?
To fix CVE-2023-25172, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-25172 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-25172 is being actively exploited. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-25172?
CVE-2023-25172 affects discourse discourse.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.