Skip to content

Re-use of email tokens

Low
tgxworld published GHSA-9377-96f4-cww4 Aug 13, 2021

Package

No package listed

Affected versions

stable <= 2.7.7; beta <= 2.8.0.beta4; tests-passed <= 2.8.0.beta4;

Patched versions

stable >= 2.7.8; beta >= 2.8.0.beta4; tests-passed >= 2.8.0.beta4;

Description

Impact

When adding additional email addresses to an existing account on a Discourse site an email token is generated as part of the email verification process. Deleting the additional email address does not invalidate an unused token which can then be used in other contexts, including reseting a password.

Patches

This issue is patched in the latest stable, beta and tests-passed versions of Discourse.

Severity

Low

CVE ID

CVE-2021-37693

Weaknesses

No CWEs