Password reset link can lead to in account takeover if user changes to a new email
Package
No package listed
Affected versions
stable <= 2.8.13; beta <= 3.0.0.beta15; tests-passed <= 3.0.0.beta15
Patched versions
stable > 2.8.13; beta >= 3.0.0.beta16; tests-passed >= 3.0.0.beta16
Impact
When a user requests for a password reset link email, then changes their primary email, the old reset email is still valid. When the old reset email is used to reset the password, the Discourse account's primary email would be re-linked to the old email.
If the old email address is compromised or has transferred ownership, this leads to an account takeover. This is however mitigated by the SiteSetting
email_token_valid_hourswhich is currently 48 hours.Patches
Upgrade to 3.0.0.beta15.
Workarounds
Lower
email_token_valid_hoursas needed.