Skip to content

Email activation route can be abused by spammers

Moderate
jomaxro published GHSA-m5w9-8gp8-2hrf Jul 27, 2022

Package

Discourse (Ruby)

Affected versions

stable <= 2.8.6; beta <= 2.9.0.beta7; tests-passed <= 2.9.0.beta7

Patched versions

stable <= 2.8.7; beta <= 2.9.0.beta8; tests-passed <= 2.9.0.beta8

Description

Impact

A malicious actor can bypass the existing rate limit of the update_activate_email route, sending spam signup emails on behalf of the site.

Patches

A fix is included in the latest stable, beta and tests-passed versions of Discourse.

Severity

Moderate
6.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CVE ID

CVE-2022-31184

Weaknesses

No CWEs