CVE-2022-39356

2022-11-0217:15:17

CWE-285

[email protected]

web.nvd.nist.gov

discourse

community discussion

unauthorized access

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

42.8%

JSON

Discourse is a platform for community discussion. Users who receive an invitation link that is not scoped to a single email address can enter any non-admin user’s email and gain access to their account when accepting the invitation. All users should upgrade to the latest version. A workaround is temporarily disabling invitations with SiteSetting.max_invites_per_day = 0 or scope them to individual email addresses.

Affected configurations

Nvd

Node

discoursediscourseRange<2.8.10

discoursediscourseMatch2.9.0beta1

discoursediscourseMatch2.9.0beta10

discoursediscourseMatch2.9.0beta2

discoursediscourseMatch2.9.0beta3

discoursediscourseMatch2.9.0beta4

discoursediscourseMatch2.9.0beta5

discoursediscourseMatch2.9.0beta6

discoursediscourseMatch2.9.0beta7

discoursediscourseMatch2.9.0beta8

discoursediscourseMatch2.9.0beta9

VendorProductVersionCPE
discoursediscourse*cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
discoursediscourse2.9.0cpe:2.3:a:discourse:discourse:2.9.0:beta1:*:*:*:*:*:*
discoursediscourse2.9.0cpe:2.3:a:discourse:discourse:2.9.0:beta10:*:*:*:*:*:*
discoursediscourse2.9.0cpe:2.3:a:discourse:discourse:2.9.0:beta2:*:*:*:*:*:*
discoursediscourse2.9.0cpe:2.3:a:discourse:discourse:2.9.0:beta3:*:*:*:*:*:*
discoursediscourse2.9.0cpe:2.3:a:discourse:discourse:2.9.0:beta4:*:*:*:*:*:*
discoursediscourse2.9.0cpe:2.3:a:discourse:discourse:2.9.0:beta5:*:*:*:*:*:*
discoursediscourse2.9.0cpe:2.3:a:discourse:discourse:2.9.0:beta6:*:*:*:*:*:*
discoursediscourse2.9.0cpe:2.3:a:discourse:discourse:2.9.0:beta7:*:*:*:*:*:*
discoursediscourse2.9.0cpe:2.3:a:discourse:discourse:2.9.0:beta8:*:*:*:*:*:*

Vendor	Product	Version	CPE
discourse	discourse	*	cpe:2.3:a:discourse:discourse::::::::
discourse	discourse	2.9.0	cpe:2.3:a:discourse:discourse:2.9.0:beta1::::::
discourse	discourse	2.9.0	cpe:2.3:a:discourse:discourse:2.9.0:beta10::::::
discourse	discourse	2.9.0	cpe:2.3:a:discourse:discourse:2.9.0:beta2::::::
discourse	discourse	2.9.0	cpe:2.3:a:discourse:discourse:2.9.0:beta3::::::
discourse	discourse	2.9.0	cpe:2.3:a:discourse:discourse:2.9.0:beta4::::::
discourse	discourse	2.9.0	cpe:2.3:a:discourse:discourse:2.9.0:beta5::::::
discourse	discourse	2.9.0	cpe:2.3:a:discourse:discourse:2.9.0:beta6::::::
discourse	discourse	2.9.0	cpe:2.3:a:discourse:discourse:2.9.0:beta7::::::
discourse	discourse	2.9.0	cpe:2.3:a:discourse:discourse:2.9.0:beta8::::::