149 行
13 KiB
JSON
149 行
13 KiB
JSON
{
|
|
"canonical_id": "discourse--68e2bb93e1",
|
|
"system_id": "discourse",
|
|
"display_name": "Discourse",
|
|
"category": "cms",
|
|
"advisory_mode": "core",
|
|
"title": "3.5.0.beta5: Improved admin search, AI forum research, easier site appearance configuration, and simpler plugin development",
|
|
"summary": "<h2><a name=\"p-1779107-new-features-in-350beta5-1\" class=\"anchor\" href=\"https://meta.discourse.org#p-1779107-new-features-in-350beta5-1\" aria-label=\"Heading link\"></a>New features in 3.5.0.beta5</h2>\n<h3><a name=\"p-1779107-refining-the-admin-search-2\" class=\"anchor\" href=\"https://meta.discourse.org#p-1779107-refining-the-admin-search-2\" aria-label=\"Heading link\"></a>Refining the admin search</h3>\n<p>We <a href=\"https://meta.discourse.org/t/introducing-comprehensive-admin-search/360157\">recently released</a> a new full admin search, allowing you to search all areas of your admin from one place. This month, we\u2019ve spent some time refining how it works to make it more usable and more useful. The admin search is now more readily available from the sidebar, only displays a search box to make your searches more focused, and allows you to find what you need more quickly.</p>\n<p></p><div class=\"lightbox-wrapper\"><a class=\"lightbox\" href=\"https://d11a6trkgmumsb.cloudfront.net/original/4X/9/7/7/97725c0b3b49e02a0b5506196debee49d63ffa8b.png\" data-download-href=\"/uploads/short-url/lBL6XqXS2asbKfzUzXKbQzoK0T9.png?dl=1\" title=\"2025_admin-search-refinements\" rel=\"noopener nofollow ugc\"><img src=\"https://d11a6trkgmumsb.cloudfront.net/optimized/4X/9/7/7/97725c0b3b49e02a0b5506196debee49d63ffa8b_2_690x306.png\" alt=\"2025_admin-search-refinements\" data-base62-sha1=\"lBL6XqXS2asbKfzUzXKbQzoK0T9\" width=\"690\" height=\"306\" srcset=\"https://d11a6trkgmumsb.cloudfront.net/optimized/4X/9/7/7/97725c0b3b49e02a0b5506196debee49d63ffa8b_2_690x306.png, https://d11a6trkgmumsb.cloudfront.net/optimized/4X/9/7/7/97725c0b3b49e02a0b5506196debee49d63ffa8b_2_1035x459.png 1.5x, https://d11a6trkgmumsb.cloudfront.net/optimized/4X/9/7/7/97725c0b3b49e02a0b5506196debee49d63ffa8b_2_1380x612.png 2x\" data-dominant-color=\"D3D3CF\"></a></div><p></p>\n<h3><a name=\"p-1779107-better-forum-research-with-ai-3\" class=\"anchor\" href=\"https://meta.discourse.org#p-1779107-better-forum-research-with-ai-3\" aria-label=\"Heading link\"></a>Better forum research with AI</h3>\n<p>The Discourse AI plugin now includes a new Forum Researcher persona. This persona comes with advanced filtering and analysis capabilities, supporting tags, categories, dates, users, and keywords. It will also more efficiently process research results, providing quicker feedback for all queries.</p>\n<p></p><div class=\"lightbox-wrapper\"><a class=\"lightbox\" href=\"https://d11a6trkgmumsb.cloudfront.net/original/4X/6/a/6/6a646e2f9346f1b1b0a2dcbcaf06a6ed4a561291.png\" data-download-href=\"/uploads/short-url/fbbMxZpC9QMJ1WGUFsh0M5su9hv.png?dl=1\" title=\"This image shows a Discord web interface on a Windows system, featuring the login section with placeholders for a username and personal avatar, along with options to switch between "Persona" and "Forum Researcher." Additionally, it includes a "NEW" announcement on a cloud icon and a note about the potential inaccuracies... (Captioned by AI)\" rel=\"noopener nofollow ugc\"><img src=\"https://d11a6trkgmumsb.cloudfront.net/optimized/4X/6/a/6/6a646e2f9346f1b1b0a2dcbcaf06a6ed4a561291_2_690x306.png\" alt=\"This image shows a Discord web interface on a Windows system, featuring the login section with placeholders for a username and personal avatar, along with options to switch between "Persona" and "Forum Researcher." Additionally, it includes a "NEW" announcement on a cloud icon and a note about the potential inaccuracies... (Captioned by AI)\" data-base62-sha1=\"fbbMxZpC9QMJ1WGUFsh0M5su9hv\" width=\"690\" height=\"306\" srcset=\"https://d11a6trkgmumsb.cloudfront.net/optimized/4X/6/a/6/6a646e2f9346f1b1b0a2dcbcaf06a6ed4a561291_2_690x306.png, https://d11a6trkgmumsb.cloudfront.net/optimized/4X/6/a/6/6a646e2f9346f1b1b0a2dcbcaf06a6ed4a561291_2_1035x459.png 1.5x, https://d11a6trkgmumsb.cloudfront.net/optimized/4X/6/a/6/6a646e2f9346f1b1b0a2dcbcaf06a6ed4a561291_2_1380x612.png 2x\" data-dominant-color=\"FAFBF8\"></a></div><p></p>\n<h3><a name=\"p-1779107-making-your-sites-appearance-easier-to-manage-4\" class=\"anchor\" href=\"https://meta.discourse.org#p-1779107-making-your-sites-appearance-easier-to-manage-4\" aria-label=\"Heading link\"></a>Making your site\u2019s appearance easier to manage</h3>\n<p>As part of our ongoing work to improve site appearance configuration, we have released further improvement that make it easier for you to get your site looking the way you want it to. Settings for fonts and logos and now easier to find in the admin sidebar, images are easier to upload, and the new themes page loads more quickly. Along with this, we have also made changes to the setup wizard and Getting Started guide for new sites, helping admins get into their site configuration more quickly and effectively.</p>\n<h3><a name=\"p-1779107-more-developer-friendly-plugin-creation-5\" class=\"anchor\" href=\"https://meta.discourse.org#p-1779107-more-developer-friendly-plugin-creation-5\" aria-label=\"Heading link\"></a>More developer-friendly plugin creation</h3>\n<p>A little while ago, we introduced a new <code>type: object</code> schema <a href=\"https://meta.discourse.org/t/objects-type-for-theme-setting/305009?silent=true\">for theme settings</a>, allowing theme developers to store a collection of objects as JSON in the database. We have now ported this same settings schema to plugins, allowing plugin developers to take advantage of this simpler, cleaner and more usable format for storing data. See <a href=\"https://github.com/discourse/discourse/pull/32706\" rel=\"noopener nofollow ugc\">the pull request</a> for more details.</p>\n <p><small>2 posts - 2 participants</small></p>\n <p><a href=\"https://meta.discourse.org/t/3-5-0-beta5-improved-admin-search-ai-forum-research-easier-site-appearance-configuration-and-simpler-plugin-development/367300\">Read full topic</a></p>",
|
|
"published_at": "Wed, 28 May 2025 05:22:52 +0000",
|
|
"updated_at": "Wed, 28 May 2025 05:22:52 +0000",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"source_confidence": "official",
|
|
"official_source_url": "https://meta.discourse.org/t/3-5-0-beta5-improved-admin-search-ai-forum-research-easier-site-appearance-configuration-and-simpler-plugin-development/367300",
|
|
"secondary_source_urls": [],
|
|
"aliases": [],
|
|
"cve_ids": [],
|
|
"ghsa_ids": [],
|
|
"osv_ids": [],
|
|
"affected_versions": [],
|
|
"fixed_versions": [],
|
|
"package_name": null,
|
|
"render_markdown": false,
|
|
"case_path": null,
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"xss-output-encoding",
|
|
"plugin-extension-trust-policy",
|
|
"file-upload-validation"
|
|
],
|
|
"status": "triage",
|
|
"triage_reasons": [
|
|
"missing affected/fixed version details"
|
|
],
|
|
"entity_refs": [
|
|
{
|
|
"entity_id": "discourse",
|
|
"entity_type": "system",
|
|
"relation": "root-system",
|
|
"root_system_id": "discourse",
|
|
"official": true
|
|
}
|
|
],
|
|
"affected_components": [
|
|
{
|
|
"name": "Discourse",
|
|
"entity_id": "discourse",
|
|
"scope": "core",
|
|
"package_name": null,
|
|
"official": true
|
|
}
|
|
],
|
|
"affected_version_ranges": [],
|
|
"fixed_version_ranges": [],
|
|
"introduced_version": null,
|
|
"patched_version": null,
|
|
"version_evidence_sources": [
|
|
"https://meta.discourse.org/t/3-5-0-beta5-improved-admin-search-ai-forum-research-easier-site-appearance-configuration-and-simpler-plugin-development/367300"
|
|
],
|
|
"affected_version_refs": [],
|
|
"fixed_version_refs": [],
|
|
"patched_version_refs": [],
|
|
"version_sync_confidence": "low",
|
|
"advisory_scope": "core",
|
|
"version_confidence": "low",
|
|
"version_gap_reason": "official bulletin or aggregated source did not expose explicit affected/fixed versions",
|
|
"version_resolution_needed": true,
|
|
"workflow": {
|
|
"workflow_id": "discourse--68e2bb93e1--workflow",
|
|
"vuln_family": "xss",
|
|
"entry_surface": "web-ui-render-path",
|
|
"preconditions": [
|
|
"\u4ec5\u5728 lab-local\u3001lab-public \u6216\u660e\u786e\u6388\u6743\u76ee\u6807\u4e2d\u6267\u884c\u3002",
|
|
"\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: \u9700\u8981\u4ece\u516c\u544a\u3001\u9501\u6587\u4ef6\u3001\u7248\u672c\u9875\u6216\u5173\u4e8e\u9875\u9762\u4eba\u5de5\u786e\u8ba4\u7248\u672c\u547d\u4e2d",
|
|
"\u82e5\u5bf9\u8c61\u5c5e\u4e8e `core`\uff0c\u5148\u786e\u8ba4\u6269\u5c55/\u4ed3\u5e93/\u5305\u5df2\u542f\u7528\u5e76\u5904\u4e8e\u53d7\u5f71\u54cd\u7248\u672c\u3002"
|
|
],
|
|
"required_role": "editor-or-admin",
|
|
"affected_version_assertion": [
|
|
"\u9700\u8981\u4ece\u516c\u544a\u3001\u9501\u6587\u4ef6\u3001\u7248\u672c\u9875\u6216\u5173\u4e8e\u9875\u9762\u4eba\u5de5\u786e\u8ba4\u7248\u672c\u547d\u4e2d"
|
|
],
|
|
"trigger_vector": "\u5bf9 `xss` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
|
|
"request_or_ui_path": [
|
|
"/admin/editor",
|
|
"/preview",
|
|
"/rendered-content"
|
|
],
|
|
"input_shape": "\u53d7\u63a7 HTML/Markdown/\u5bcc\u6587\u672c\u8f93\u5165\uff0c\u89c2\u5bdf\u6e32\u67d3\u4e0a\u4e0b\u6587\u662f\u5426\u5931\u53bb\u7f16\u7801\u6216\u51c0\u5316\u3002",
|
|
"expected_unsafe_behavior": "\u8f93\u5165\u5728\u76ee\u6807\u4e0a\u4e0b\u6587\u6267\u884c\u6216\u88ab\u6d4f\u89c8\u5668\u89e3\u91ca\u4e3a\u4e3b\u52a8\u5185\u5bb9\u3002",
|
|
"server_evidence_points": [
|
|
"\u5e94\u7528\u65e5\u5fd7\u4e2d\u7684\u547d\u4e2d\u8def\u5f84\u3001\u9274\u6743\u51b3\u7b56\u548c\u5f02\u5e38\u6808",
|
|
"\u53cd\u5411\u4ee3\u7406\u6216\u8fb9\u754c\u5c42\u65e5\u5fd7\u4e2d\u7684\u8bf7\u6c42\u5934\u3001\u6765\u6e90 IP \u4e0e\u8def\u7531\u51b3\u7b56"
|
|
],
|
|
"browser_evidence_points": [
|
|
"\u57fa\u7ebf\u622a\u56fe\u4e0e\u653b\u51fb\u540e\u622a\u56fe\u7684 DOM/\u89c6\u89c9\u5dee\u5f02",
|
|
"console\u3001network \u4e0e response metadata \u4e2d\u7684\u5f02\u5e38\u4fe1\u53f7"
|
|
],
|
|
"db_or_fs_evidence_points": [
|
|
"\u6570\u636e\u5e93\u4e2d\u65b0\u589e/\u8d8a\u6743\u8bfb\u53d6\u7684\u6d4b\u8bd5\u6570\u636e",
|
|
"\u6587\u4ef6\u7cfb\u7edf\u4e2d\u65b0\u589e\u4e0a\u4f20\u6837\u672c\u3001\u7f13\u5b58\u6761\u76ee\u6216\u8d8a\u6743\u8bfb\u53d6\u75d5\u8ff9"
|
|
],
|
|
"detection_signals": [
|
|
"WAF / reverse proxy \u5f02\u5e38\u65e5\u5fd7\u3001\u8bbf\u95ee\u65e5\u5fd7\u548c\u544a\u8b66",
|
|
"\u5e94\u7528\u5ba1\u8ba1\u65e5\u5fd7\u4e2d\u7684\u6743\u9650\u9519\u8bef\u3001\u91cd\u5b9a\u5411\u5f02\u5e38\u3001\u6a21\u677f\u6e32\u67d3\u6216\u4e0a\u4f20\u843d\u76d8\u4e8b\u4ef6"
|
|
],
|
|
"mitigation_summary": "\u4f18\u5148\u5347\u7ea7\u5230\u4fee\u590d\u7248\u672c\uff0c\u5e76\u540c\u65f6\u6536\u7d27\u8f93\u5165\u6821\u9a8c\u3001\u670d\u52a1\u7aef\u9274\u6743\u3001\u4ee3\u7406\u4fe1\u4efb\u8fb9\u754c\u3001\u6269\u5c55\u5b89\u88c5\u4fe1\u4efb\u548c\u5ba1\u8ba1\u65e5\u5fd7\u3002",
|
|
"patch_validation_steps": [
|
|
"\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `\u53d7\u5f71\u54cd\u7248\u672c\u533a\u95f4` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `\u4fee\u590d\u7248\u672c`\u3002",
|
|
"\u4fdd\u7559\u540c\u4e00\u7ec4\u53d7\u63a7\u8f93\u5165\uff0c\u5728\u4fee\u590d\u524d\u540e\u5206\u522b\u6267\u884c\u5e76\u6bd4\u5bf9\u54cd\u5e94\u3001\u65e5\u5fd7\u4e0e\u6d4f\u89c8\u5668\u8bc1\u636e\u3002",
|
|
"\u786e\u8ba4\u4fee\u590d\u540e\u4ec5\u4fdd\u7559\u9884\u671f\u4e1a\u52a1\u884c\u4e3a\uff0c\u4e0d\u518d\u89e6\u53d1\u8d8a\u6743\u3001\u56de\u663e\u3001\u5f02\u5e38\u6e32\u67d3\u6216\u9519\u8bef\u8bf7\u6c42\u3002",
|
|
"\u8865\u5145 `xss` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
|
|
],
|
|
"lab_safety_notes": [
|
|
"\u53ea\u4f7f\u7528\u56de\u73af\u5730\u5740\u3001\u54e8\u5175\u76ee\u6807\u3001\u65e0\u5bb3\u6837\u672c\u6216\u53ef\u56de\u6eda\u6d4b\u8bd5\u6570\u636e\u3002",
|
|
"\u7981\u6b62\u9020\u6210\u6301\u4e45\u7834\u574f\u3001\u8d8a\u6743\u4e0b\u8f7d\u771f\u5b9e\u6570\u636e\u6216\u4e0d\u53ef\u56de\u6eda side effect\u3002",
|
|
"\u5982\u9700\u6d4f\u89c8\u5668\u8bc1\u636e\uff0c\u4fdd\u7559 baseline / proof \u4e24\u4efd\u5feb\u7167\u4ee5\u53ca console / network \u8bb0\u5f55\u3002"
|
|
],
|
|
"review_state": "needs-version-gap-review"
|
|
},
|
|
"verification_status": "triage-manual",
|
|
"verification_mode": "synthetic",
|
|
"last_verified_at": null,
|
|
"last_run_id": null,
|
|
"evidence_bundle": null,
|
|
"historical_status": null,
|
|
"latest_status": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": false,
|
|
"refs": []
|
|
},
|
|
"repro_profile_id": "xss-generic",
|
|
"artifact_mode": "synthetic",
|
|
"blocked_reason": null,
|
|
"metadata": {
|
|
"source_names": [
|
|
"Discourse Release Notes RSS"
|
|
],
|
|
"source_kinds": [
|
|
"rss-feed"
|
|
],
|
|
"candidate_count": 1,
|
|
"entity_ref_count": 1,
|
|
"advisory_scope": "core",
|
|
"version_confidence": "low",
|
|
"workflow_id": "discourse--68e2bb93e1--workflow"
|
|
}
|
|
}
|