SB2025020539 - Multiple vulnerabilities in Discourse

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Stored cross-site scripting (CVE-ID: CVE-2024-56328)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data within Onebox urls. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) Stored cross-site scripting (CVE-ID: CVE-2025-22602)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the video placeholders. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

3) Path traversal (CVE-ID: CVE-2025-22601)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can trick a victim to make changes to their own username via specially crafted link using the activate-account route.

Remediation

Install update from vendor's website.

References

• https://github.com/discourse/discourse/security/advisories/GHSA-j855-mhxj-x6vg
• https://github.com/discourse/discourse/security/advisories/GHSA-jcjx-694p-c5m3
• https://github.com/discourse/discourse/security/advisories/GHSA-gvpp-v7mp-wxxw