Skip to content

Email invitations to topics are not rate limited in some cases

Low
jomaxro published GHSA-q2rg-m477-8wg7 Aug 10, 2022

Package

Discourse (Discourse)

Affected versions

stable <= 2.8.7; beta <= 2.9.0.beta8; tests-passed <= 2.9.0.beta8

Patched versions

stable >= 2.8.8; beta >= 2.9.0.beta9; tests-passed >= 2.9.0.beta9

Description

Impact

A malicious user can use the invitation system to spam arbitrary email addresses by sending them invitation emails in some cases.

Patches

This issue is patched in the latest stable, beta and tests-passed versions of Discourse.

Workarounds

None.

Severity

Low

CVE ID

CVE-2022-37458

Weaknesses

No CWEs