Skip to content

Invitation can cause users to be erroneously and transparently added to private message

High
jomaxro published GHSA-gh5r-j595-qx48 Nov 14, 2022

Package

Discourse (Discourse)

Affected versions

stable <= 2.8.10; beta <= 2.9.0.beta11; tests-passed <= 2.9.0.beta11

Patched versions

stable > 2.8.10; beta > 2.9.0.beta11; tests-passed > 2.9.0.beta11

Description

Impact

In some rare cases users redeeming an invitation can be added as a participant to several private message topics that they should not be added to. They are not notified of this, it happens transparently in the background.

Patches

Patched in the latest version.

Workarounds

Set SiteSetting.max_invites_per_day to 0 until the patch is installed.

Severity

High
8.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CVE ID

CVE-2022-39385

Weaknesses