Discourse is an open-source discussion platform. Prior to version 3.4.4 of the stable branch, version 3.5.0.beta5 of the beta branch, and version 3.5.0.beta6-dev of the tests-passed branch, Codepen is present in the default allowed_iframes site setting, and it can potentially auto-run arbitrary JS in the iframe scope, which is unintended. This issue is patched in version 3.4.4 of the stable branch, version 3.5.0.beta5 of the beta branch, and version 3.5.0.beta6-dev of the tests-passed branch. As a workaround, the Codepen prefix can be removed from a sites allowed_iframes.
The product uses a mechanism that automatically optimizes code, e.g. to improve a characteristic such as performance, but the optimizations can have an unintended side effect that might violate an intended security assumption.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Discourse | Discourse | * | 3.4.4 (excluding) |
| Discourse | Discourse | * | 3.5.0 (excluding) |
| Discourse | Discourse | 3.5.0-beta1 (including) | 3.5.0-beta1 (including) |
| Discourse | Discourse | 3.5.0-beta2 (including) | 3.5.0-beta2 (including) |
| Discourse | Discourse | 3.5.0-beta3 (including) | 3.5.0-beta3 (including) |
| Discourse | Discourse | 3.5.0-beta4 (including) | 3.5.0-beta4 (including) |