146 行
15 KiB
JSON
146 行
15 KiB
JSON
{
|
|
"canonical_id": "discourse--b5351f62de",
|
|
"system_id": "discourse",
|
|
"display_name": "Discourse",
|
|
"category": "cms",
|
|
"advisory_mode": "core",
|
|
"title": "3.5.0beta3: Full admin search, better font selection, more robust site search, category personalization, and easier configuration management",
|
|
"summary": "<h2><a name=\"p-1758744-new-features-in-350beta3-1\" class=\"anchor\" href=\"https://meta.discourse.org#p-1758744-new-features-in-350beta3-1\" aria-label=\"Heading link\"></a>New features in 3.5.0.beta3</h2>\n<h3><a name=\"p-1758744-a-comprehensive-admin-search-2\" class=\"anchor\" href=\"https://meta.discourse.org#p-1758744-a-comprehensive-admin-search-2\" aria-label=\"Heading link\"></a>A comprehensive admin search</h3>\n<p>It is now possible to search the entire Discourse admin from a single interface - this includes pages, settings, themes, components, and reports. To bring up the search box, click the new \u2018Search\u2019 link near the top of the admin sidebar. You can also access it from anywhere in the admin interface with the shortcut <kbd>Ctrl</kbd>+<kbd>/</kbd> or <kbd>Cmd</kbd>+<kbd>/</kbd>. This interface makes it much easier to find exactly what you\u2019re looking, no matter what it is. <strong><a href=\"https://meta.discourse.org/t/introducing-comprehensive-admin-search/360157\">Learn more and provide feedback here</a>.</strong></p>\n<p></p><div class=\"video-placeholder-container\" data-video-src=\"https://d11a6trkgmumsb.cloudfront.net/original/4X/6/9/b/69bff6f136281368c8722132f96e5e02ce909414.mp4\" data-thumbnail-src=\"https://d11a6trkgmumsb.cloudfront.net/original/4X/f/5/3/f5340a94a266a469e9bc947247fa799ae8adbe90.png\" data-video-base62-sha1=\"f5vpPLZxfJPjkjfAW7VHVk92swA.mp4\">\n </div><p></p>\n<h3><a name=\"p-1758744-personalize-your-community-with-category-icons-3\" class=\"anchor\" href=\"https://meta.discourse.org#p-1758744-personalize-your-community-with-category-icons-3\" aria-label=\"Heading link\"></a>Personalize your community with category icons</h3>\n<p>Categories can now be personalized with icons to reflect the personality of your community. You can select emoji or regular Discourse icons that use the category\u2019s existing colour. This is a great way to make your site feel more unique and your categories more refelctive of the content they include. <strong><a href=\"https://meta.discourse.org/t/bringing-popular-features-to-discourse-header-search-welcome-banner-and-category-icons-emoji/359169#p-1741866-category-icons-and-emoji-7\">Find out more here</a>.</strong></p>\n<p></p><div class=\"video-placeholder-container\" data-video-src=\"https://d11a6trkgmumsb.cloudfront.net/original/4X/8/6/9/869fcbe84339af022d23c08df7319c1b8715905c.mp4\" data-thumbnail-src=\"https://d11a6trkgmumsb.cloudfront.net/original/4X/9/a/8/9a8a8a0380a92a6bdaa0f072605c04a16c9397de.png\" data-video-base62-sha1=\"jcWlinfSo9NqASIZCV2tmSbdNBq.mp4\">\n </div><p></p>\n<h3><a name=\"p-1758744-easier-configuration-management-with-bulk-saving-4\" class=\"anchor\" href=\"https://meta.discourse.org#p-1758744-easier-configuration-management-with-bulk-saving-4\" aria-label=\"Heading link\"></a>Easier configuration management with bulk saving</h3>\n<p>Gone are the days where you have to save each setting one-by-one. Now, as you edit settings in your Discourse admin, a banner shows up at the bottom indicating how many settings you have modified, allowing you to save them all with a single click. The banner remains in place as you filter settings on the page, and you will receive a warning if you navigate away from a page with unsaved settings. <strong>You can use this right now in your Discourse admin.</strong></p>\n<p></p><div class=\"lightbox-wrapper\"><a class=\"lightbox\" href=\"https://d11a6trkgmumsb.cloudfront.net/original/4X/9/5/a/95a1925db658ef48dc0ad20315933fe53ff2a31a.jpeg\" data-download-href=\"/uploads/short-url/llHj9DtLt2I4TzBtJ2a2yY8DvKO.jpeg?dl=1\" title=\"This image shows a Content settings screen where tags can be configured on a website, with options for suppressing uncategorized items and setting max tags per topic and email subject. (Captioned by AI)\" rel=\"noopener nofollow ugc\"><img src=\"https://d11a6trkgmumsb.cloudfront.net/optimized/4X/9/5/a/95a1925db658ef48dc0ad20315933fe53ff2a31a_2_590x500.jpeg\" alt=\"This image shows a Content settings screen where tags can be configured on a website, with options for suppressing uncategorized items and setting max tags per topic and email subject. (Captioned by AI)\" data-base62-sha1=\"llHj9DtLt2I4TzBtJ2a2yY8DvKO\" width=\"590\" height=\"500\" srcset=\"https://d11a6trkgmumsb.cloudfront.net/optimized/4X/9/5/a/95a1925db658ef48dc0ad20315933fe53ff2a31a_2_590x500.jpeg, https://d11a6trkgmumsb.cloudfront.net/optimized/4X/9/5/a/95a1925db658ef48dc0ad20315933fe53ff2a31a_2_885x750.jpeg 1.5x, https://d11a6trkgmumsb.cloudfront.net/optimized/4X/9/5/a/95a1925db658ef48dc0ad20315933fe53ff2a31a_2_1180x1000.jpeg 2x\" data-dominant-color=\"F5F6F1\"></a></div><p></p>\n<h3><a name=\"p-1758744-more-robust-site-search-5\" class=\"anchor\" href=\"https://meta.discourse.org#p-1758744-more-robust-site-search-5\" aria-label=\"Heading link\"></a>More robust site search</h3>\n<p>When searching for content on any Discourse site, you now have more control over the sources of content that show up in search results. You can now specifically target posts written by humans or bots, as well as whispers and regular posts (<a href=\"https://github.com/discourse/discourse/pull/32252\" rel=\"noopener nofollow ugc\">details on GitHub</a>). <strong>You can test this out on your site today.</strong></p>\n<h3><a name=\"p-1758744-better-font-selection-6\" class=\"anchor\" href=\"https://meta.discourse.org#p-1758744-better-font-selection-6\" aria-label=\"Heading link\"></a>Better font selection</h3>\n<p>Selecting your community\u2019s fonts is now easier than ever. The new font selection panel includes visual previews of the available fonts, as well as text size. This is part of the ongoing improvements to the branding and site appearance configuration experience. <strong>Check out the changes in the \u201cLogo and fonts\u201d page in your Discourse admin.</strong></p>\n<p></p><div class=\"lightbox-wrapper\"><a class=\"lightbox\" href=\"https://d11a6trkgmumsb.cloudfront.net/original/4X/c/0/a/c0a47fc25aee7e6bcba6d597d498debaf4c0f0d5.jpeg\" data-download-href=\"/uploads/short-url/ruc6WhmCA7ZHrOlXnJXX0DhVP8N.jpeg?dl=1\" title=\"The image displays a configuration page for the Discourse software, allowing users to select fonts and adjust default text sizes for the base and heading boxes within the platform. (Captioned by AI)\" rel=\"noopener nofollow ugc\"><img src=\"https://d11a6trkgmumsb.cloudfront.net/optimized/4X/c/0/a/c0a47fc25aee7e6bcba6d597d498debaf4c0f0d5_2_667x500.jpeg\" alt=\"The image displays a configuration page for the Discourse software, allowing users to select fonts and adjust default text sizes for the base and heading boxes within the platform. (Captioned by AI)\" data-base62-sha1=\"ruc6WhmCA7ZHrOlXnJXX0DhVP8N\" width=\"667\" height=\"500\" srcset=\"https://d11a6trkgmumsb.cloudfront.net/optimized/4X/c/0/a/c0a47fc25aee7e6bcba6d597d498debaf4c0f0d5_2_667x500.jpeg, https://d11a6trkgmumsb.cloudfront.net/optimized/4X/c/0/a/c0a47fc25aee7e6bcba6d597d498debaf4c0f0d5_2_1000x750.jpeg 1.5x, https://d11a6trkgmumsb.cloudfront.net/optimized/4X/c/0/a/c0a47fc25aee7e6bcba6d597d498debaf4c0f0d5_2_1334x1000.jpeg 2x\" data-dominant-color=\"F7F8F5\"></a></div><p></p>\n<h2><a name=\"p-1758744-security-updates-7\" class=\"anchor\" href=\"https://meta.discourse.org#p-1758744-security-updates-7\" aria-label=\"Heading link\"></a>Security Updates</h2>\n<p>This release includes fixes for these security issues reported by our community and <a href=\"https://hackerone.com/discourse\" rel=\"noopener nofollow ugc\">HackerOne</a>.</p>\n<ul>\n<li><a href=\"https://github.com/discourse/discourse/security/advisories/GHSA-mqqq-h2x3-46fr\" class=\"inline-onebox\" rel=\"noopener nofollow ugc\">DM limits aren\u2019t always properly enforced \u00b7 Advisory \u00b7 discourse/discourse \u00b7 GitHub</a></li>\n</ul>\n <p><small>2 posts - 2 participants</small></p>\n <p><a href=\"https://meta.discourse.org/t/3-5-0beta3-full-admin-search-better-font-selection-more-robust-site-search-category-personalization-and-easier-configuration-management/362894\">Read full topic</a></p>",
|
|
"published_at": "Tue, 29 Apr 2025 04:43:00 +0000",
|
|
"updated_at": "Tue, 29 Apr 2025 04:43:00 +0000",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"source_confidence": "official",
|
|
"official_source_url": "https://meta.discourse.org/t/3-5-0beta3-full-admin-search-better-font-selection-more-robust-site-search-category-personalization-and-easier-configuration-management/362894",
|
|
"secondary_source_urls": [],
|
|
"aliases": [],
|
|
"cve_ids": [],
|
|
"ghsa_ids": [],
|
|
"osv_ids": [],
|
|
"affected_versions": [],
|
|
"fixed_versions": [],
|
|
"package_name": null,
|
|
"render_markdown": false,
|
|
"case_path": null,
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"xss-output-encoding",
|
|
"plugin-extension-trust-policy",
|
|
"file-upload-validation",
|
|
"dependency-upgrade-policy"
|
|
],
|
|
"status": "triage",
|
|
"triage_reasons": [
|
|
"missing affected/fixed version details"
|
|
],
|
|
"entity_refs": [
|
|
{
|
|
"entity_id": "discourse",
|
|
"entity_type": "system",
|
|
"relation": "root-system",
|
|
"root_system_id": "discourse",
|
|
"official": true
|
|
}
|
|
],
|
|
"affected_components": [
|
|
{
|
|
"name": "Discourse",
|
|
"entity_id": "discourse",
|
|
"scope": "core",
|
|
"package_name": null,
|
|
"official": true
|
|
}
|
|
],
|
|
"affected_version_ranges": [],
|
|
"fixed_version_ranges": [],
|
|
"introduced_version": null,
|
|
"patched_version": null,
|
|
"version_evidence_sources": [
|
|
"https://meta.discourse.org/t/3-5-0beta3-full-admin-search-better-font-selection-more-robust-site-search-category-personalization-and-easier-configuration-management/362894"
|
|
],
|
|
"advisory_scope": "core",
|
|
"version_confidence": "low",
|
|
"version_gap_reason": "official bulletin or aggregated source did not expose explicit affected/fixed versions",
|
|
"version_resolution_needed": true,
|
|
"workflow": {
|
|
"workflow_id": "discourse--b5351f62de--workflow",
|
|
"vuln_family": "xss",
|
|
"entry_surface": "web-ui-render-path",
|
|
"preconditions": [
|
|
"\u4ec5\u5728 lab-local\u3001lab-public \u6216\u660e\u786e\u6388\u6743\u76ee\u6807\u4e2d\u6267\u884c\u3002",
|
|
"\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: \u9700\u8981\u4ece\u516c\u544a\u3001\u9501\u6587\u4ef6\u3001\u7248\u672c\u9875\u6216\u5173\u4e8e\u9875\u9762\u4eba\u5de5\u786e\u8ba4\u7248\u672c\u547d\u4e2d",
|
|
"\u82e5\u5bf9\u8c61\u5c5e\u4e8e `core`\uff0c\u5148\u786e\u8ba4\u6269\u5c55/\u4ed3\u5e93/\u5305\u5df2\u542f\u7528\u5e76\u5904\u4e8e\u53d7\u5f71\u54cd\u7248\u672c\u3002"
|
|
],
|
|
"required_role": "editor-or-admin",
|
|
"affected_version_assertion": [
|
|
"\u9700\u8981\u4ece\u516c\u544a\u3001\u9501\u6587\u4ef6\u3001\u7248\u672c\u9875\u6216\u5173\u4e8e\u9875\u9762\u4eba\u5de5\u786e\u8ba4\u7248\u672c\u547d\u4e2d"
|
|
],
|
|
"trigger_vector": "\u5bf9 `xss` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
|
|
"request_or_ui_path": [
|
|
"/admin/editor",
|
|
"/preview",
|
|
"/rendered-content"
|
|
],
|
|
"input_shape": "\u53d7\u63a7 HTML/Markdown/\u5bcc\u6587\u672c\u8f93\u5165\uff0c\u89c2\u5bdf\u6e32\u67d3\u4e0a\u4e0b\u6587\u662f\u5426\u5931\u53bb\u7f16\u7801\u6216\u51c0\u5316\u3002",
|
|
"expected_unsafe_behavior": "\u8f93\u5165\u5728\u76ee\u6807\u4e0a\u4e0b\u6587\u6267\u884c\u6216\u88ab\u6d4f\u89c8\u5668\u89e3\u91ca\u4e3a\u4e3b\u52a8\u5185\u5bb9\u3002",
|
|
"server_evidence_points": [
|
|
"\u5e94\u7528\u65e5\u5fd7\u4e2d\u7684\u547d\u4e2d\u8def\u5f84\u3001\u9274\u6743\u51b3\u7b56\u548c\u5f02\u5e38\u6808",
|
|
"\u53cd\u5411\u4ee3\u7406\u6216\u8fb9\u754c\u5c42\u65e5\u5fd7\u4e2d\u7684\u8bf7\u6c42\u5934\u3001\u6765\u6e90 IP \u4e0e\u8def\u7531\u51b3\u7b56"
|
|
],
|
|
"browser_evidence_points": [
|
|
"\u57fa\u7ebf\u622a\u56fe\u4e0e\u653b\u51fb\u540e\u622a\u56fe\u7684 DOM/\u89c6\u89c9\u5dee\u5f02",
|
|
"console\u3001network \u4e0e response metadata \u4e2d\u7684\u5f02\u5e38\u4fe1\u53f7"
|
|
],
|
|
"db_or_fs_evidence_points": [
|
|
"\u6570\u636e\u5e93\u4e2d\u65b0\u589e/\u8d8a\u6743\u8bfb\u53d6\u7684\u6d4b\u8bd5\u6570\u636e",
|
|
"\u6587\u4ef6\u7cfb\u7edf\u4e2d\u65b0\u589e\u4e0a\u4f20\u6837\u672c\u3001\u7f13\u5b58\u6761\u76ee\u6216\u8d8a\u6743\u8bfb\u53d6\u75d5\u8ff9"
|
|
],
|
|
"detection_signals": [
|
|
"WAF / reverse proxy \u5f02\u5e38\u65e5\u5fd7\u3001\u8bbf\u95ee\u65e5\u5fd7\u548c\u544a\u8b66",
|
|
"\u5e94\u7528\u5ba1\u8ba1\u65e5\u5fd7\u4e2d\u7684\u6743\u9650\u9519\u8bef\u3001\u91cd\u5b9a\u5411\u5f02\u5e38\u3001\u6a21\u677f\u6e32\u67d3\u6216\u4e0a\u4f20\u843d\u76d8\u4e8b\u4ef6"
|
|
],
|
|
"mitigation_summary": "\u4f18\u5148\u5347\u7ea7\u5230\u4fee\u590d\u7248\u672c\uff0c\u5e76\u540c\u65f6\u6536\u7d27\u8f93\u5165\u6821\u9a8c\u3001\u670d\u52a1\u7aef\u9274\u6743\u3001\u4ee3\u7406\u4fe1\u4efb\u8fb9\u754c\u3001\u6269\u5c55\u5b89\u88c5\u4fe1\u4efb\u548c\u5ba1\u8ba1\u65e5\u5fd7\u3002",
|
|
"patch_validation_steps": [
|
|
"\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `\u53d7\u5f71\u54cd\u7248\u672c\u533a\u95f4` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `\u4fee\u590d\u7248\u672c`\u3002",
|
|
"\u4fdd\u7559\u540c\u4e00\u7ec4\u53d7\u63a7\u8f93\u5165\uff0c\u5728\u4fee\u590d\u524d\u540e\u5206\u522b\u6267\u884c\u5e76\u6bd4\u5bf9\u54cd\u5e94\u3001\u65e5\u5fd7\u4e0e\u6d4f\u89c8\u5668\u8bc1\u636e\u3002",
|
|
"\u786e\u8ba4\u4fee\u590d\u540e\u4ec5\u4fdd\u7559\u9884\u671f\u4e1a\u52a1\u884c\u4e3a\uff0c\u4e0d\u518d\u89e6\u53d1\u8d8a\u6743\u3001\u56de\u663e\u3001\u5f02\u5e38\u6e32\u67d3\u6216\u9519\u8bef\u8bf7\u6c42\u3002",
|
|
"\u8865\u5145 `xss` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
|
|
],
|
|
"lab_safety_notes": [
|
|
"\u53ea\u4f7f\u7528\u56de\u73af\u5730\u5740\u3001\u54e8\u5175\u76ee\u6807\u3001\u65e0\u5bb3\u6837\u672c\u6216\u53ef\u56de\u6eda\u6d4b\u8bd5\u6570\u636e\u3002",
|
|
"\u7981\u6b62\u9020\u6210\u6301\u4e45\u7834\u574f\u3001\u8d8a\u6743\u4e0b\u8f7d\u771f\u5b9e\u6570\u636e\u6216\u4e0d\u53ef\u56de\u6eda side effect\u3002",
|
|
"\u5982\u9700\u6d4f\u89c8\u5668\u8bc1\u636e\uff0c\u4fdd\u7559 baseline / proof \u4e24\u4efd\u5feb\u7167\u4ee5\u53ca console / network \u8bb0\u5f55\u3002"
|
|
],
|
|
"review_state": "needs-version-gap-review"
|
|
},
|
|
"verification_status": "triage-manual",
|
|
"verification_mode": "synthetic",
|
|
"last_verified_at": null,
|
|
"last_run_id": null,
|
|
"evidence_bundle": null,
|
|
"historical_status": null,
|
|
"latest_status": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": false,
|
|
"refs": []
|
|
},
|
|
"repro_profile_id": "xss-generic",
|
|
"artifact_mode": "synthetic",
|
|
"blocked_reason": null,
|
|
"metadata": {
|
|
"source_names": [
|
|
"Discourse Release Notes RSS"
|
|
],
|
|
"source_kinds": [
|
|
"rss-feed"
|
|
],
|
|
"candidate_count": 1,
|
|
"entity_ref_count": 1,
|
|
"advisory_scope": "core",
|
|
"version_confidence": "low",
|
|
"workflow_id": "discourse--b5351f62de--workflow"
|
|
}
|
|
}
|