HTML Injection Flaw in Discourse Invitation System
CVE-2025-48062
What is CVE-2025-48062?
CVE-2025-48062 is a vulnerability affecting the Discourse open-source discussion platform, which is widely used for hosting online forums and community discussions. This specific vulnerability pertains to an HTML injection flaw within the invitation system. It occurs when invitations sent via email can incorporate unverified HTML content if the topic title includes HTML elements. This means that users, particularly those without accounts, could receive invitations where the content could be manipulated, leading to potential security risks including phishing attacks or misuse of the platform's communication channels. The issue has been addressed in the latest software updates, which provide patches for affected versions, thereby reducing the risk associated with this vulnerability.
Potential impact of CVE-2025-48062
-
Phishing Attacks: The HTML injection could be exploited to craft deceptive emails that may trick users into providing sensitive information or performing unintended actions. This increases the risk of credentials being compromised and unauthorized access to users' accounts.
-
Manipulation of Communication: Since invitations that include custom messages can be altered, malicious actors could use this vulnerability to inject harmful or misleading content, influencing conversations and spreading misinformation within the community.
-
Reputation Damage: Organizations using Discourse may face reputational harm if users are misled or if sensitive data is compromised through the exploitation of this flaw. Trust in the platform could be eroded, resulting in decreased user engagement and potential loss of community members.
Affected Version(s)
discourse < 3.4.4 < 3.4.4
discourse < 3.5.0.beta5 < 3.5.0.beta5
discourse < 3.5.0.beta6-dev < 3.5.0.beta6-dev