Discourse password reset link can lead to in account takeover if user changes to a new email
CVE-2022-46177

8.1HIGH

Key Information:

Vendor
discourse
Status
discourse
Vendor
CVE Published:
5 January 2023

Summary

The Discourse platform contains a security flaw where a user can request a password reset link while changing their primary email address. If the user utilizes the old email for resetting their password, this could lead to a scenario where their account is re-linked to the old email, making it vulnerable to an account takeover if that old email is compromised. This issue affects versions prior to 2.8.14 on the stable branch and 3.0.0.beta16 on beta branches. Users are advised to upgrade to secure versions to mitigate this risk, or alternatively, reduce the email_token_valid_hours setting, currently set to 48 hours, as a temporary workaround.

Affected Version(s)

discourse < 2.8.14 < 2.8.14

discourse >= 2.9.0.beta0, < 3.0.0.beta16 < 2.9.0.beta0, 3.0.0.beta16

References

https://github.com/discourse/discourse/security/advisorie...
x_refsource_CONFIRM
https://github.com/discourse/discourse/commit/4bf306f0e3b...
x_refsource_MISC
https://github.com/discourse/discourse/commit/83944213b2b...
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.