CVE-2021-37693 Information
Jun 07, 2022
cve
Description
Discourse is an open-source platform for community discussion. In Discourse before versions 2.7.8 and 2.8.0.beta4 when adding additional email addresses to an existing account on a Discourse site an email token is generated as part of the email verification process. Deleting the additional email address does not invalidate an unused token which can then be used in other contexts including reseting a password.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Reference
https://github.com/discourse/discourse/security/advisories/GHSA-9377-96f4-cww4 https://github.com/discourse/discourse/commit/fb14e50741a4880cda22244eded8858e2f5336ef
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
NONE
Availability Impact
HIGH
Base Score
NONE
Base Severity
7.5
Share on: