CVE-2025-48062: CWE-116: Improper Encoding or Escaping of Output in discourse discourse
Discourse is an open-source discussion platform. Prior to version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch, certain invites via email may result in HTML injection in the email body if the topic title includes HTML. This includes inviting someone (without an account) to a PM and inviting someone (without an account) to a topic with a custom message. This issue is patched in version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch. This can be worked around if the relevant templates are overridden without `{topic_title}`.
AI Analysis
Technical Summary
CVE-2025-48062 is a high-severity vulnerability affecting Discourse, an open-source discussion platform widely used for online community forums and collaboration. The vulnerability stems from improper encoding or escaping of output (CWE-116) leading to HTML injection (CWE-79) in email invitations sent by Discourse. Specifically, when inviting users without accounts to private messages (PMs) or topics with a custom message, if the topic title contains HTML code, this HTML is not properly sanitized before being included in the email body. This flaw exists in Discourse versions prior to 3.4.4 on the stable branch, prior to 3.5.0.beta5 on the beta branch, and prior to 3.5.0.beta6-dev on the tests-passed branch. The vulnerability allows an attacker with at least limited privileges (PR:L) to craft topic titles containing malicious HTML that will be injected into invitation emails sent to recipients. The CVSS 3.1 score is 7.1 (high), reflecting that the attack vector is network-based (AV:N), requires low complexity (AC:L), privileges (PR:L), no user interaction (UI:N), and impacts confidentiality highly (C:H) with limited integrity impact (I:L) and no availability impact (A:N). The vulnerability can be mitigated by upgrading to the patched versions or by overriding the relevant email templates to exclude the {topic_title} variable. No known exploits are currently reported in the wild. This vulnerability is significant because email clients rendering injected HTML could execute malicious scripts or phishing content, potentially compromising recipients' confidentiality or leading to further attacks such as credential theft or session hijacking.
Potential Impact
For European organizations using Discourse to manage community forums, customer support, or internal collaboration, this vulnerability poses a risk to confidentiality and trust. Attackers could exploit this flaw to inject malicious HTML into invitation emails, potentially leading to phishing attacks, credential harvesting, or malware delivery when recipients open the emails. Since the vulnerability requires only low privileges and no user interaction, it could be exploited by insiders or external attackers who can create topics with malicious titles. The impact is particularly critical for organizations handling sensitive or regulated data, such as financial institutions, healthcare providers, or government agencies, where leakage of confidential information or compromise of user credentials could have severe legal and reputational consequences under GDPR and other regulations. Additionally, the vulnerability could be leveraged to target high-profile individuals or groups within organizations, increasing the risk of spear-phishing campaigns. The lack of availability impact means service disruption is unlikely, but the confidentiality breach risk remains significant.
Mitigation Recommendations
European organizations should prioritize upgrading Discourse installations to version 3.4.4 or later on the stable branch, or the corresponding patched beta or tests-passed versions. Until upgrades can be applied, administrators should override the email invitation templates to remove the {topic_title} variable, preventing injection of malicious HTML in emails. Organizations should also audit topic titles for suspicious or unexpected HTML content and restrict topic creation privileges to trusted users to reduce the risk of exploitation. Implementing email security controls such as DMARC, DKIM, and SPF can help reduce the risk of phishing emails reaching end users. End users should be trained to recognize suspicious invitation emails and avoid clicking on unexpected links. Monitoring email logs for unusual invitation activity and scanning outgoing emails for malicious content can provide early detection of exploitation attempts. Finally, organizations should maintain an incident response plan to quickly address any suspected compromise resulting from this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Belgium, Poland, Ireland
CVE-2025-48062: CWE-116: Improper Encoding or Escaping of Output in discourse discourse
Description
Discourse is an open-source discussion platform. Prior to version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch, certain invites via email may result in HTML injection in the email body if the topic title includes HTML. This includes inviting someone (without an account) to a PM and inviting someone (without an account) to a topic with a custom message. This issue is patched in version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch. This can be worked around if the relevant templates are overridden without `{topic_title}`.
AI-Powered Analysis
Technical Analysis
CVE-2025-48062 is a high-severity vulnerability affecting Discourse, an open-source discussion platform widely used for online community forums and collaboration. The vulnerability stems from improper encoding or escaping of output (CWE-116) leading to HTML injection (CWE-79) in email invitations sent by Discourse. Specifically, when inviting users without accounts to private messages (PMs) or topics with a custom message, if the topic title contains HTML code, this HTML is not properly sanitized before being included in the email body. This flaw exists in Discourse versions prior to 3.4.4 on the stable branch, prior to 3.5.0.beta5 on the beta branch, and prior to 3.5.0.beta6-dev on the tests-passed branch. The vulnerability allows an attacker with at least limited privileges (PR:L) to craft topic titles containing malicious HTML that will be injected into invitation emails sent to recipients. The CVSS 3.1 score is 7.1 (high), reflecting that the attack vector is network-based (AV:N), requires low complexity (AC:L), privileges (PR:L), no user interaction (UI:N), and impacts confidentiality highly (C:H) with limited integrity impact (I:L) and no availability impact (A:N). The vulnerability can be mitigated by upgrading to the patched versions or by overriding the relevant email templates to exclude the {topic_title} variable. No known exploits are currently reported in the wild. This vulnerability is significant because email clients rendering injected HTML could execute malicious scripts or phishing content, potentially compromising recipients' confidentiality or leading to further attacks such as credential theft or session hijacking.
Potential Impact
For European organizations using Discourse to manage community forums, customer support, or internal collaboration, this vulnerability poses a risk to confidentiality and trust. Attackers could exploit this flaw to inject malicious HTML into invitation emails, potentially leading to phishing attacks, credential harvesting, or malware delivery when recipients open the emails. Since the vulnerability requires only low privileges and no user interaction, it could be exploited by insiders or external attackers who can create topics with malicious titles. The impact is particularly critical for organizations handling sensitive or regulated data, such as financial institutions, healthcare providers, or government agencies, where leakage of confidential information or compromise of user credentials could have severe legal and reputational consequences under GDPR and other regulations. Additionally, the vulnerability could be leveraged to target high-profile individuals or groups within organizations, increasing the risk of spear-phishing campaigns. The lack of availability impact means service disruption is unlikely, but the confidentiality breach risk remains significant.
Mitigation Recommendations
European organizations should prioritize upgrading Discourse installations to version 3.4.4 or later on the stable branch, or the corresponding patched beta or tests-passed versions. Until upgrades can be applied, administrators should override the email invitation templates to remove the {topic_title} variable, preventing injection of malicious HTML in emails. Organizations should also audit topic titles for suspicious or unexpected HTML content and restrict topic creation privileges to trusted users to reduce the risk of exploitation. Implementing email security controls such as DMARC, DKIM, and SPF can help reduce the risk of phishing emails reaching end users. End users should be trained to recognize suspicious invitation emails and avoid clicking on unexpected links. Monitoring email logs for unusual invitation activity and scanning outgoing emails for malicious content can provide early detection of exploitation attempts. Finally, organizations should maintain an incident response plan to quickly address any suspected compromise resulting from this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-05-15T16:06:40.941Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6846d5937b622a9fdf225522
Added to database: 6/9/2025, 12:37:39 PM
Last enriched: 7/9/2025, 1:25:09 PM
Last updated: 8/18/2025, 4:06:45 PM
Views: 23
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.