Discourse is vulnerable to XSS when quoting chat messages

3.5 / 10

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Description

Discourse is an open-source community discussion platform. Versions 3.5.0 and below are vulnerable to XSS attacks through parsing and rendering of chat channel titles and chat thread titles via the quote message functionality when using the rich text editor. This issue is fixed in version 3.5.1.

Basic Information

ID CVE-2025-58054

Source GitHub_M

Published Oct 1, 2025 at 18:42

Modified Oct 1, 2025 at 19:24

Affected Product

Vendor discourse

Product discourse

Version < 3.5.1

Affected Versions discourse discourse < 3.5.1

CWE Classification

CWE-80

References

{
    "lastseen": "",
    "description": "Discourse is an open-source community discussion platform. Versions 3.5.0 and below are vulnerable to XSS attacks through parsing and rendering of chat channel titles and chat thread titles via the quote message functionality when using the rich text editor. This issue is fixed in version 3.5.1.",
    "published": "2025-10-01T18:42:54.700Z",
    "modified": "2025-10-01T19:24:29.602Z",
    "type": "cve",
    "title": "Discourse is vulnerable to XSS when quoting chat messages",
    "source": "GitHub_M",
    "references": "https://github.com/discourse/discourse/security/advisories/GHSA-7p47-8m82-m2vf\nhttps://github.com/discourse/discourse/commit/3a224fd546d894ee408e7414b6879e814a792f91",
    "id": "CVE-2025-58054",
    "bulletinFamily": "",
    "cwe": [
        "CWE-80"
    ],
    "cvelist": null,
    "sourceData": "discourse discourse < 3.5.1",
    "sourceHref": "",
    "cvss": {
        "score": 3.5,
        "severity": "LOW",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "discourse",
    "version": "< 3.5.1",
    "vendor": "discourse",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Discourse is vulnerable to XSS when quoting chat messages_CVE-2025-58054