Discourse password reset link can lead to in account takeover if user changes to a new email
CVE-2022-46177
What is CVE-2022-46177?
The Discourse platform contains a security flaw where a user can request a password reset link while changing their primary email address. If the user utilizes the old email for resetting their password, this could lead to a scenario where their account is re-linked to the old email, making it vulnerable to an account takeover if that old email is compromised. This issue affects versions prior to 2.8.14 on the stable branch and 3.0.0.beta16 on beta branches. Users are advised to upgrade to secure versions to mitigate this risk, or alternatively, reduce the email_token_valid_hours setting, currently set to 48 hours, as a temporary workaround.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
discourse < 2.8.14 < 2.8.14
discourse >= 2.9.0.beta0, < 3.0.0.beta16 < 2.9.0.beta0, 3.0.0.beta16
References
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved