CVE-2025-22602

Discourse is an open source platform for community discussion. In affected versions an attacker can execute arbitrary JavaScript on users' browsers by posting a malicious video placeholder html element. This issue only affects sites with CSP disabled. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should enable CSP.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/discourse/discourse/security/advisories/GHSA-jcjx-694p-c5m3

Configurations

No configuration.

History

04 Feb 2025, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-04 21:15

Updated : 2025-02-04 21:15

NVD link : CVE-2025-22602

Mitre link : CVE-2025-22602

CVE.ORG link : CVE-2025-22602

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.5 /10