CVE-2025-54411

low

Description

Discourse is an open-source discussion platform. Welcome banner user name string for logged in users can be vulnerable to XSS attacks, which affect the user themselves or an admin impersonating them. Admins can temporarily alter the welcome_banner.header.logged_in_members site text to remove the preferred_display_name placeholder, or not impersonate any users for the time being. This vulnerability is fixed in 3.5.0.beta8.

References

https://github.com/discourse/discourse/security/advisories/GHSA-5mm6-j5vq-6884

https://github.com/discourse/discourse/commit/a3374d2850f07444d113216e1d539ee21650dbff

Details

Source: Mitre, NVD

Published: 2025-08-19

Updated: 2025-08-20

Risk Information

CVSS v2

Base Score: 3.5

Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N

Severity: Low

CVSS v3

Base Score: 5.4

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Severity: Medium

CVSS v4

Base Score: 2.4

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Severity: Low

EPSS

EPSS: 0.00022