Lucene search

GitHub_MCVELIST:CVE-2022-39356

HistoryNov 02, 2022 - 12:00 a.m.

CVE-2022-39356 Discourse user account takeover via email and invite link

2022-11-0200:00:00

CWE-285

GitHub_M

www.cve.org

discourse

community discussion

user account takeover

invite link

upgrade

workaround

disabling invitations

individual email addresses

CVSS3

8.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

AI Score

9.1

Confidence

High

EPSS

0.001

Percentile

42.8%

JSON

Discourse is a platform for community discussion. Users who receive an invitation link that is not scoped to a single email address can enter any non-admin user’s email and gain access to their account when accepting the invitation. All users should upgrade to the latest version. A workaround is temporarily disabling invitations with SiteSetting.max_invites_per_day = 0 or scope them to individual email addresses.

CNA Affected

[
  {
    "vendor": "discourse",
    "product": "discourse",
    "versions": [
      {
        "version": "<= 2.8.9",
        "status": "affected"
      },
      {
        "version": "<= 2.9.0.beta10",
        "status": "affected"
      }
    ]
  }
]

References

github.com/discourse/discourse/pull/18817

github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278

CVSS3

8.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

AI Score

9.1

Confidence

High

EPSS

0.001

Percentile

42.8%

JSON

Related for CVELIST:CVE-2022-39356