When adding additional email addresses to an existing account on a Discourse site an email token is generated as part of the email verification process. Deleting the additional email address does not invalidate an unused token which can then be used in other contexts, including reseting a password.
Patches
This issue is patched in the latest stable, beta and tests-passed versions of Discourse.
Severity
Low
CVE ID
CVE-2021-37693
Weaknesses
No CWEs
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.
Impact
When adding additional email addresses to an existing account on a Discourse site an email token is generated as part of the email verification process. Deleting the additional email address does not invalidate an unused token which can then be used in other contexts, including reseting a password.
Patches
This issue is patched in the latest stable, beta and tests-passed versions of Discourse.