Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Discourse's WebAuthn challenge isn't cleared from user session after authentication
Vulnerability Description
Discourse is an open-source community discussion platform. Prior to version 3.4.7 on the `stable` branch and version 3.5.0.beta.8 on the `tests-passed` branch, upon issuing a physical security key for 2FA, the server generates a WebAuthn challenge, which the client signs. The challenge is not cleared from the user’s session after authentication, potentially allowing reuse and increasing security risk. This is fixed in versions 3.4.7 and 3.5.0.beta.8.
CVSS Information
N/A
Vulnerability Type
会话固定
Vulnerability Title
Discourse 授权问题漏洞
Vulnerability Description
Discourse是Discourse开源的一套开源的社区讨论平台。该平台包括社区、电子邮件和聊天室等功能。 Discourse 3.4.7之前版本和3.5.0.beta.8之前版本存在授权问题漏洞,该漏洞源于WebAuthn挑战未清除,可能导致安全风险增加。
CVSS Information
N/A
Vulnerability Type
N/A