CVE-2025-48877 – Discourse Codepen Unintended JS Execution Vulnerability

June 9, 2025

CVE ID : CVE-2025-48877

Published : June 9, 2025, 1:15 p.m. | 2 hours, 25 minutes ago

Description : Discourse is an open-source discussion platform. Prior to version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch, Codepen is present in the default `allowed_iframes` site setting, and it can potentially auto-run arbitrary JS in the iframe scope, which is unintended. This issue is patched in version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch. As a workaround, the Codepen prefix can be removed from a site’s `allowed_iframes`.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Source: Read More

Previous ArticleCVE-2025-49006 – Keycloak Wasp OAuth Authentication ID Case Sensitivity Vulnerability

Next Article CVE-2025-48062 – Discourse HTML Injection Vulnerability

Highlights

CVE-2025-2768 – Bdrive NetDrive Uncontrolled Search Path Element Local Privilege Escalation

April 23, 2025

CVE ID : CVE-2025-2768

Published : April 23, 2025, 5:16 p.m. | 1 hour, 42 minutes ago

Description : Bdrive NetDrive Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Bdrive NetDrive. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the configuration of OpenSSL. The product loads an OpenSSL configuration file from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-25041.

Severity: 7.8 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

How To Fix Largest Contentful Paint Issues With Subpart Analysis

How To Prevent WordPress SQL Injection Attacks

CodeSOD: A Real POS Report

Decoding The SVG path Element: Line Commands

Apple doesn’t need better AI as much as AI needs Apple to bring its A-game

DistroWatch Weekly, Issue 1125

Motion Highlights #9

The 2025 Wholesome Direct was chock-full of cozy casual games and aesthetic vibes

GuacPanel

GuacPanel

FilamentExamples.com: Our Demo-Projects and Tutorials on Filament

Laravel Migration With Schema Validation in MongoDB

Raspberry Pi 5 Desktop Mini PC: Installing Software

Raspberry Pi 5 Desktop Mini PC: Installing Software

SmartOS – Type 1 Hypervisor platform based on illumos

Karakeep is a self-hostable bookmark-everything app

CVE-2025-48877 – Discourse Codepen Unintended JS Execution Vulnerability

CVE-2025-41444 – Zohocorp ManageEngine ADAudit Plus SQL Injection Vulnerability

CVE-2025-5875 – TP-Link TL-IPC544EP-W4 Buffer Overflow Vulnerability

CVE-2025-5697 – Brilliance Golden Link Secondary System SQL Injection Vulnerability

Alright, I’ll reinstall: Halo Infinite’s new Operation update adds one of its coolest-ever weapons, new story missions, and more

I tested Sony’s WH-1000XM6 headphones, and I’m seriously considering ditching my Bose

FloQast builds an AI-powered accounting transformation solution with Anthropic’s Claude 3 on Amazon Bedrock

CVE-2025-2768 – Bdrive NetDrive Uncontrolled Search Path Element Local Privilege Escalation

Meta’s Llama 4 ‘herd’ controversy and AI contamination, explained

New Linux Flaws Allow Password Hash Theft via Core Dumps in Ubuntu, RHEL, Fedora

CVE-2025-2872 – Apache HTTP Server Remote Code Execution Vulnerability

CVE-2025-48877 – Discourse Codepen Unintended JS Execution Vulnerability

Related Posts