Default credentials

2023-01-0520:15:00

PRIOn knowledge base

www.prio-n.com

default credentials

discourse

email reset

account takeover

version vulnerability

email_token_valid_hours

patch

nvd

8.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

45.2%

JSON

Discourse is an option source discussion platform. Prior to version 2.8.14 on the stable branch and version 3.0.0.beta16 on the beta and tests-passed branches, when a user requests for a password reset link email, then changes their primary email, the old reset email is still valid. When the old reset email is used to reset the password, the Discourse account’s primary email would be re-linked to the old email. If the old email address is compromised or has transferred ownership, this leads to an account takeover. This is however mitigated by the SiteSetting email_token_valid_hours which is currently 48 hours. Users should upgrade to versions 2.8.14 or 3.0.0.beta15 to receive a patch. As a workaround, lower email_token_valid_hours as needed.

CPENameOperatorVersion
discourselt2.8.14
discourseeq1.1.0 beta1
discourseeq1.1.0 beta2
discourseeq1.1.0 beta3
discourseeq1.1.0 beta4
discourseeq1.1.0 beta5
discourseeq1.1.0 beta6
discourseeq1.1.0 beta6b
discourseeq1.1.0 beta7
discourseeq1.1.0 beta8

Name	Operator	Version
discourse	lt	2.8.14
discourse	eq	1.1.0 beta1
discourse	eq	1.1.0 beta2
discourse	eq	1.1.0 beta3
discourse	eq	1.1.0 beta4
discourse	eq	1.1.0 beta5
discourse	eq	1.1.0 beta6
discourse	eq	1.1.0 beta6b
discourse	eq	1.1.0 beta7
discourse	eq	1.1.0 beta8