Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Discourse vulnerable to auto-executing of third-party code in embedded CodePen iframe
Vulnerability Description
Discourse is an open-source discussion platform. Prior to version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch, Codepen is present in the default `allowed_iframes` site setting, and it can potentially auto-run arbitrary JS in the iframe scope, which is unintended. This issue is patched in version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch. As a workaround, the Codepen prefix can be removed from a site's `allowed_iframes`.
CVSS Information
N/A
Vulnerability Type
不安全的自动优化
Vulnerability Title
Discourse 安全漏洞
Vulnerability Description
Discourse是Discourse开源的一套开源的社区讨论平台。该平台包括社区、电子邮件和聊天室等功能。 Discourse 3.4.4之前版本、3.5.0.beta5之前版本和3.5.0.beta6-dev之前版本存在安全漏洞,该漏洞源于Codepen可能自动运行任意JS,可能导致远程代码执行。
CVSS Information
N/A
Vulnerability Type
N/A