Lucene search

K
cvelistGitHub_MCVELIST:CVE-2021-37693
HistoryAug 13, 2021 - 3:15 p.m.

CVE-2021-37693 Re-use of email tokens in Discourse

2021-08-1315:15:10
CWE-613
CWE-640
GitHub_M
www.cve.org

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

30.9%

Discourse is an open-source platform for community discussion. In Discourse before versions 2.7.8 and 2.8.0.beta4, when adding additional email addresses to an existing account on a Discourse site an email token is generated as part of the email verification process. Deleting the additional email address does not invalidate an unused token which can then be used in other contexts, including reseting a password.

CNA Affected

[
  {
    "product": "discourse",
    "vendor": "discourse",
    "versions": [
      {
        "status": "affected",
        "version": "< 2.7.8"
      }
    ]
  }
]

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

30.9%

Related for CVELIST:CVE-2021-37693