Discourse user account takeover via email and invite link
CVE-2022-39356
8.9HIGH
Summary
Discourse is a platform for community discussion. Users who receive an invitation link that is not scoped to a single email address can enter any non-admin user's email and gain access to their account when accepting the invitation. All users should upgrade to the latest version. A workaround is temporarily disabling invitations with SiteSetting.max_invites_per_day = 0 or scope them to individual email addresses.
Affected Version(s)
discourse <= 2.8.9 <= 2.8.9
discourse <= 2.9.0.beta10 <= 2.9.0.beta10
References
CVSS V3.1
Score:
8.9
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved