Discourse Code Execution Vulnerability via Auto-Running JavaScript in CodePen Iframe
Vulnerability
A vulnerability allowing arbitrary JavaScript execution has been identified in Discourse, an open-source discussion platform. This issue affects versions prior to 3.4.4 of the stable branch, versions prior to 3.5.0.beta5 of the beta branch, and versions prior to 3.5.0.beta6-dev of the tests-passed branch. The vulnerability arises because CodePen is included by default in the allowed_iframes site setting, enabling unintended execution of JavaScript within the iframe context.
Impact
Exploitation of this vulnerability could lead to unauthorized execution of JavaScript in the context of the affected user's iframe, potentially allowing for manipulation of the page or interaction with other site features in unintended ways.
Remediation
Users can upgrade to Discourse version 3.4.4 or later on the stable branch, version 3.5.0.beta5 or later on the beta branch, or version 3.5.0.beta6-dev or later on the tests-passed branch. Alternatively, the CodePen prefix can be removed from the site's allowed_iframes setting.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.