CVE-2025-48062

{"id": "CVE-2025-48062", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 2.8}]}, "published": "2025-06-09T13:15:23.320", "references": [{"url": "https://github.com/discourse/discourse/security/advisories/GHSA-x8mp-chx3-6x2p", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-116"}]}], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Prior to version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch, certain invites via email may result in HTML injection in the email body if the topic title includes HTML. This includes inviting someone (without an account) to a PM and inviting someone (without an account) to a topic with a custom message. This issue is patched in version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch. This can be worked around if the relevant templates are overridden without `{topic_title}`."}, {"lang": "es", "value": "Discourse es una plataforma de discusi\u00f3n de c\u00f3digo abierto. En versiones anteriores a la 3.4.4 de la rama `stable`, la 3.5.0.beta5 de la rama `beta` y la 3.5.0.beta6-dev de la rama `tests-passed`, ciertas invitaciones por correo electr\u00f3nico pod\u00edan provocar la inyecci\u00f3n de HTML en el cuerpo del correo si el t\u00edtulo del tema inclu\u00eda HTML. Esto incluye invitar a alguien (sin cuenta) a un mensaje privado y a un tema con un mensaje personalizado. Este problema se ha corregido en las versiones 3.4.4 de la rama `stable`, la 3.5.0.beta5 de la rama `beta` y la 3.5.0.beta6-dev de la rama `tests-passed`. Esto se puede solucionar sobrescribiendo las plantillas correspondientes sin `{topic_title}`."}], "lastModified": "2025-06-12T16:06:47.857", "sourceIdentifier": "security-advisories@github.com"}