Lowtgxworld

**Name of the Vulnerable Software and Affected Versions** Discourse versions prior to 3.4.4 Discourse version 3.5.0.beta5 and earlier of the beta branch Discourse version 3.5.0.beta6-dev and earlier of the tests-passed branch **Description** Discourse is an open-source discussion platform. In versions prior to the fixed ones, Codepen is present in the default site setting `allowed iframes` and can potentially auto-run arbitrary JavaScript code in the iframe scope, which is unintended. **Recommendations** For Discourse versions prior to 3.4.4, update to version 3.4.4 or later. For Discourse version 3.5.0.beta5 and earlier of the beta branch, update to a version later than 3.5.0.beta5. For Discourse version 3.5.0.beta6-dev and earlier of the tests-passed branch, update to a version later than 3.5.0.beta6-dev. As a temporary workaround for all affected versions, consider removing the Codepen prefix from the site's `allowed iframes` setting to minimize the risk of exploitation.