hao/websafe-kb
1
0
派生 0
代码 工单 合并请求 1 工作流 软件包 项目 发布 百科 活动
文件
9c8cc7ec8a83920f5260379bc68ef9728966d685
websafe-kb/08-threat-intel/registry/advisories/discourse--111e9b52a2.json
hao bfd7d732ae feat: sync version-driven intel coverage
2026-03-21 18:18:55 -07:00

149 行
13 KiB
JSON
原始文件 Blame 文件历史

{
"canonical_id": "discourse--111e9b52a2",
"system_id": "discourse",
"display_name": "Discourse",
"category": "cms",
"advisory_mode": "core",
"title": "3.5.0.beta9: Improving color management, core welcome banner, and staff action log filters",
"summary": "<h2><a name=\"p-1838743-new-features-in-350beta9-1\" class=\"anchor\" href=\"https://meta.discourse.org#p-1838743-new-features-in-350beta9-1\" aria-label=\"Heading link\"></a>New features in 3.5.0.beta9</h2>\n<h3><a name=\"p-1838743-ongoing-improvements-to-color-management-2\" class=\"anchor\" href=\"https://meta.discourse.org#p-1838743-ongoing-improvements-to-color-management-2\" aria-label=\"Heading link\"></a>Ongoing improvements to color management</h3>\n<p></p><div class=\"lightbox-wrapper\"><a class=\"lightbox\" href=\"https://d11a6trkgmumsb.cloudfront.net/original/4X/8/7/7/877c87c05d8fa7a1b16ba6438419955344205ab9.png\" data-download-href=\"/uploads/short-url/jkzgkwi2bXrbJ6iD5B5QMt4Ab4l.png?dl=1\" title=\"Visual selection for color palettes in user preferences.\"><img src=\"https://d11a6trkgmumsb.cloudfront.net/optimized/4X/8/7/7/877c87c05d8fa7a1b16ba6438419955344205ab9_2_421x375.png\" alt=\"Visual selection for color palettes in user preferences.\" data-base62-sha1=\"jkzgkwi2bXrbJ6iD5B5QMt4Ab4l\" width=\"421\" height=\"375\" srcset=\"https://d11a6trkgmumsb.cloudfront.net/optimized/4X/8/7/7/877c87c05d8fa7a1b16ba6438419955344205ab9_2_421x375.png, https://d11a6trkgmumsb.cloudfront.net/optimized/4X/8/7/7/877c87c05d8fa7a1b16ba6438419955344205ab9_2_631x562.png 1.5x, https://d11a6trkgmumsb.cloudfront.net/optimized/4X/8/7/7/877c87c05d8fa7a1b16ba6438419955344205ab9_2_842x750.png 2x\" data-dominant-color=\"F2F6F5\"></a></div><p></p>\n<p>Color palettes have been receiving a lot of attention lately as we\u2019ve been adding features and improving the flow of creating and managing colour palettes. The aim of these updates is to make it easy to apply your brand colors to your community, while continuing to cater to varied and dynamic colour palette options. Recent updates to colour palettes include significantly improved dark mode handling at the theme level, better sorting of palettes in the admin, visual palette previews in user preferences, and improved wording of settings for palettes to make them easier to configure.</p>\n<p><strong><a href=\"https://meta.discourse.org/tags/c/announcements/67/color-palettes\">Read the latest announcements about these updates</a>. There are more color palette updates on the way!</strong></p>\n<h3><a name=\"p-1838743-welcome-banner-now-in-discourse-core-3\" class=\"anchor\" href=\"https://meta.discourse.org#p-1838743-welcome-banner-now-in-discourse-core-3\" aria-label=\"Heading link\"></a>Welcome banner now in Discourse core</h3>\n<p></p><div class=\"lightbox-wrapper\"><a class=\"lightbox\" href=\"https://d11a6trkgmumsb.cloudfront.net/original/4X/8/c/b/8cb9651fa6714828ace0fa7e1cbfdce8382b66e4.png\" data-download-href=\"/uploads/short-url/k4U3h9mLHXjONC1YErP9mzAZiM4.png?dl=1\" title=\"The welcome banner feature, which greets members and offers easy access to search.\"><img src=\"https://d11a6trkgmumsb.cloudfront.net/optimized/4X/8/c/b/8cb9651fa6714828ace0fa7e1cbfdce8382b66e4_2_517x196.png\" alt=\"The welcome banner feature, which greets members and offers easy access to search.\" data-base62-sha1=\"k4U3h9mLHXjONC1YErP9mzAZiM4\" width=\"517\" height=\"196\" srcset=\"https://d11a6trkgmumsb.cloudfront.net/optimized/4X/8/c/b/8cb9651fa6714828ace0fa7e1cbfdce8382b66e4_2_517x196.png, https://d11a6trkgmumsb.cloudfront.net/optimized/4X/8/c/b/8cb9651fa6714828ace0fa7e1cbfdce8382b66e4_2_775x294.png 1.5x, https://d11a6trkgmumsb.cloudfront.net/optimized/4X/8/c/b/8cb9651fa6714828ace0fa7e1cbfdce8382b66e4_2_1034x392.png 2x\" data-dominant-color=\"99999D\"></a></div><p></p>\n<p>Discourse core now includes settings for a built-in welcome banner that can be configured for each theme. This replaces the existing <a href=\"https://meta.discourse.org/t/advanced-search-banner/122939\">Advanced search banner</a> theme component, making the banner more usable and simple to configure. Taking advantage of new theme site settings, the welcome banner can be enabled for themes individually, with display settings being changed globally, giving you more control over where and how it is displayed to your members.</p>\n<p><strong>Check out the <a href=\"https://meta.discourse.org/t/creating-a-banner-to-display-at-the-top-of-your-site/153718#p-762961-welcome-banner-1\">documentation for adding a welcome banner to your theme</a>.</strong></p>\n<h3><a name=\"p-1838743-more-control-over-staff-action-logs-4\" class=\"anchor\" href=\"https://meta.discourse.org#p-1838743-more-control-over-staff-action-logs-4\" aria-label=\"Heading link\"></a>More control over staff action logs</h3>\n<p></p><div class=\"lightbox-wrapper\"><a class=\"lightbox\" href=\"https://d11a6trkgmumsb.cloudfront.net/original/4X/7/f/0/7f0a6a890b50a71f1ff25346a1f5c42520c70ed9.png\" data-download-href=\"/uploads/short-url/i7QXdZB4TCnAjczrL4d28sWGSSt.png?dl=1\" title=\"Date range filters on staff action logs.\"><img src=\"https://d11a6trkgmumsb.cloudfront.net/optimized/4X/7/f/0/7f0a6a890b50a71f1ff25346a1f5c42520c70ed9_2_517x133.png\" alt=\"Date range filters on staff action logs.\" data-base62-sha1=\"i7QXdZB4TCnAjczrL4d28sWGSSt\" width=\"517\" height=\"133\" srcset=\"https://d11a6trkgmumsb.cloudfront.net/optimized/4X/7/f/0/7f0a6a890b50a71f1ff25346a1f5c42520c70ed9_2_517x133.png, https://d11a6trkgmumsb.cloudfront.net/optimized/4X/7/f/0/7f0a6a890b50a71f1ff25346a1f5c42520c70ed9_2_775x199.png 1.5x, https://d11a6trkgmumsb.cloudfront.net/optimized/4X/7/f/0/7f0a6a890b50a71f1ff25346a1f5c42520c70ed9_2_1034x266.png 2x\" data-dominant-color=\"F6F6F6\"></a></div><p></p>\n<p>We\u2019ve published a few updates to make the staff action logs more useful. These are logs available at <code>/admin/logs/staff_action_logs</code> that allow you to see all the actions being taken by your community\u2019s staff, so you can keep track of the who, when, why, and what of changes being made to your site. The recent updates add a date range selector to the logs, giving you more granular control over how they are displayed and what you choose to see and export.</p>\n <p><small>2 posts - 2 participants</small></p>\n <p><a href=\"https://meta.discourse.org/t/3-5-0-beta9-improving-color-management-core-welcome-banner-and-staff-action-log-filters/379217\">Read full topic</a></p>",
"published_at": "Tue, 19 Aug 2025 08:07:02 +0000",
"updated_at": "Tue, 19 Aug 2025 08:07:02 +0000",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://meta.discourse.org/t/3-5-0-beta9-improving-color-management-core-welcome-banner-and-staff-action-log-filters/379217",
"secondary_source_urls": [],
"aliases": [],
"cve_ids": [],
"ghsa_ids": [],
"osv_ids": [],
"affected_versions": [],
"fixed_versions": [],
"package_name": null,
"render_markdown": false,
"case_path": null,
"secure_code_topics": [
"authz-server-side-recheck",
"xss-output-encoding",
"plugin-extension-trust-policy",
"file-upload-validation"
],
"status": "triage",
"triage_reasons": [
"missing affected/fixed version details"
],
"entity_refs": [
{
"entity_id": "discourse",
"entity_type": "system",
"relation": "root-system",
"root_system_id": "discourse",
"official": true
}
],
"affected_components": [
{
"name": "Discourse",
"entity_id": "discourse",
"scope": "core",
"package_name": null,
"official": true
}
],
"affected_version_ranges": [],
"fixed_version_ranges": [],
"introduced_version": null,
"patched_version": null,
"version_evidence_sources": [
"https://meta.discourse.org/t/3-5-0-beta9-improving-color-management-core-welcome-banner-and-staff-action-log-filters/379217"
],
"affected_version_refs": [],
"fixed_version_refs": [],
"patched_version_refs": [],
"version_sync_confidence": "low",
"advisory_scope": "core",
"version_confidence": "low",
"version_gap_reason": "official bulletin or aggregated source did not expose explicit affected/fixed versions",
"version_resolution_needed": true,
"workflow": {
"workflow_id": "discourse--111e9b52a2--workflow",
"vuln_family": "xss",
"entry_surface": "web-ui-render-path",
"preconditions": [
"\u4ec5\u5728 lab-local\u3001lab-public \u6216\u660e\u786e\u6388\u6743\u76ee\u6807\u4e2d\u6267\u884c\u3002",
"\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: \u9700\u8981\u4ece\u516c\u544a\u3001\u9501\u6587\u4ef6\u3001\u7248\u672c\u9875\u6216\u5173\u4e8e\u9875\u9762\u4eba\u5de5\u786e\u8ba4\u7248\u672c\u547d\u4e2d",
"\u82e5\u5bf9\u8c61\u5c5e\u4e8e `core`\uff0c\u5148\u786e\u8ba4\u6269\u5c55/\u4ed3\u5e93/\u5305\u5df2\u542f\u7528\u5e76\u5904\u4e8e\u53d7\u5f71\u54cd\u7248\u672c\u3002"
],
"required_role": "editor-or-admin",
"affected_version_assertion": [
"\u9700\u8981\u4ece\u516c\u544a\u3001\u9501\u6587\u4ef6\u3001\u7248\u672c\u9875\u6216\u5173\u4e8e\u9875\u9762\u4eba\u5de5\u786e\u8ba4\u7248\u672c\u547d\u4e2d"
],
"trigger_vector": "\u5bf9 `xss` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
"request_or_ui_path": [
"/admin/editor",
"/preview",
"/rendered-content"
],
"input_shape": "\u53d7\u63a7 HTML/Markdown/\u5bcc\u6587\u672c\u8f93\u5165\uff0c\u89c2\u5bdf\u6e32\u67d3\u4e0a\u4e0b\u6587\u662f\u5426\u5931\u53bb\u7f16\u7801\u6216\u51c0\u5316\u3002",
"expected_unsafe_behavior": "\u8f93\u5165\u5728\u76ee\u6807\u4e0a\u4e0b\u6587\u6267\u884c\u6216\u88ab\u6d4f\u89c8\u5668\u89e3\u91ca\u4e3a\u4e3b\u52a8\u5185\u5bb9\u3002",
"server_evidence_points": [
"\u5e94\u7528\u65e5\u5fd7\u4e2d\u7684\u547d\u4e2d\u8def\u5f84\u3001\u9274\u6743\u51b3\u7b56\u548c\u5f02\u5e38\u6808",
"\u53cd\u5411\u4ee3\u7406\u6216\u8fb9\u754c\u5c42\u65e5\u5fd7\u4e2d\u7684\u8bf7\u6c42\u5934\u3001\u6765\u6e90 IP \u4e0e\u8def\u7531\u51b3\u7b56"
],
"browser_evidence_points": [
"\u57fa\u7ebf\u622a\u56fe\u4e0e\u653b\u51fb\u540e\u622a\u56fe\u7684 DOM/\u89c6\u89c9\u5dee\u5f02",
"console\u3001network \u4e0e response metadata \u4e2d\u7684\u5f02\u5e38\u4fe1\u53f7"
],
"db_or_fs_evidence_points": [
"\u6570\u636e\u5e93\u4e2d\u65b0\u589e/\u8d8a\u6743\u8bfb\u53d6\u7684\u6d4b\u8bd5\u6570\u636e",
"\u6587\u4ef6\u7cfb\u7edf\u4e2d\u65b0\u589e\u4e0a\u4f20\u6837\u672c\u3001\u7f13\u5b58\u6761\u76ee\u6216\u8d8a\u6743\u8bfb\u53d6\u75d5\u8ff9"
],
"detection_signals": [
"WAF / reverse proxy \u5f02\u5e38\u65e5\u5fd7\u3001\u8bbf\u95ee\u65e5\u5fd7\u548c\u544a\u8b66",
"\u5e94\u7528\u5ba1\u8ba1\u65e5\u5fd7\u4e2d\u7684\u6743\u9650\u9519\u8bef\u3001\u91cd\u5b9a\u5411\u5f02\u5e38\u3001\u6a21\u677f\u6e32\u67d3\u6216\u4e0a\u4f20\u843d\u76d8\u4e8b\u4ef6"
],
"mitigation_summary": "\u4f18\u5148\u5347\u7ea7\u5230\u4fee\u590d\u7248\u672c\uff0c\u5e76\u540c\u65f6\u6536\u7d27\u8f93\u5165\u6821\u9a8c\u3001\u670d\u52a1\u7aef\u9274\u6743\u3001\u4ee3\u7406\u4fe1\u4efb\u8fb9\u754c\u3001\u6269\u5c55\u5b89\u88c5\u4fe1\u4efb\u548c\u5ba1\u8ba1\u65e5\u5fd7\u3002",
"patch_validation_steps": [
"\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `\u53d7\u5f71\u54cd\u7248\u672c\u533a\u95f4` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `\u4fee\u590d\u7248\u672c`\u3002",
"\u4fdd\u7559\u540c\u4e00\u7ec4\u53d7\u63a7\u8f93\u5165\uff0c\u5728\u4fee\u590d\u524d\u540e\u5206\u522b\u6267\u884c\u5e76\u6bd4\u5bf9\u54cd\u5e94\u3001\u65e5\u5fd7\u4e0e\u6d4f\u89c8\u5668\u8bc1\u636e\u3002",
"\u786e\u8ba4\u4fee\u590d\u540e\u4ec5\u4fdd\u7559\u9884\u671f\u4e1a\u52a1\u884c\u4e3a\uff0c\u4e0d\u518d\u89e6\u53d1\u8d8a\u6743\u3001\u56de\u663e\u3001\u5f02\u5e38\u6e32\u67d3\u6216\u9519\u8bef\u8bf7\u6c42\u3002",
"\u8865\u5145 `xss` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
],
"lab_safety_notes": [
"\u53ea\u4f7f\u7528\u56de\u73af\u5730\u5740\u3001\u54e8\u5175\u76ee\u6807\u3001\u65e0\u5bb3\u6837\u672c\u6216\u53ef\u56de\u6eda\u6d4b\u8bd5\u6570\u636e\u3002",
"\u7981\u6b62\u9020\u6210\u6301\u4e45\u7834\u574f\u3001\u8d8a\u6743\u4e0b\u8f7d\u771f\u5b9e\u6570\u636e\u6216\u4e0d\u53ef\u56de\u6eda side effect\u3002",
"\u5982\u9700\u6d4f\u89c8\u5668\u8bc1\u636e\uff0c\u4fdd\u7559 baseline / proof \u4e24\u4efd\u5feb\u7167\u4ee5\u53ca console / network \u8bb0\u5f55\u3002"
],
"review_state": "needs-version-gap-review"
},
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": null,
"evidence_bundle": null,
"historical_status": null,
"latest_status": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "xss-generic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [
"Discourse Release Notes RSS"
],
"source_kinds": [
"rss-feed"
],
"candidate_count": 1,
"entity_ref_count": 1,
"advisory_scope": "core",
"version_confidence": "low",
"workflow_id": "discourse--111e9b52a2--workflow"
}
}
在新工单中引用 查看 Git Blame 复制永久链接