Skip to content

Password reset link can lead to in account takeover if user changes to a new email

Moderate
jomaxro published GHSA-5www-jxvf-vrc3 Jan 5, 2023

Package

No package listed

Affected versions

stable <= 2.8.13; beta <= 3.0.0.beta15; tests-passed <= 3.0.0.beta15

Patched versions

stable > 2.8.13; beta >= 3.0.0.beta16; tests-passed >= 3.0.0.beta16

Description

Impact

When a user requests for a password reset link email, then changes their primary email, the old reset email is still valid. When the old reset email is used to reset the password, the Discourse account's primary email would be re-linked to the old email.

If the old email address is compromised or has transferred ownership, this leads to an account takeover. This is however mitigated by the SiteSetting email_token_valid_hours which is currently 48 hours.

Patches

Upgrade to 3.0.0.beta15.

Workarounds

Lower email_token_valid_hours as needed.

Severity

Moderate
5.7
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
High
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N

CVE ID

CVE-2022-46177

Weaknesses

No CWEs