Email invitations to topics are not rate limited in some cases
Package
Discourse
(Discourse)
Affected versions
stable <= 2.8.7; beta <= 2.9.0.beta8; tests-passed <= 2.9.0.beta8
Patched versions
stable >= 2.8.8; beta >= 2.9.0.beta9; tests-passed >= 2.9.0.beta9
Impact
A malicious user can use the invitation system to spam arbitrary email addresses by sending them invitation emails in some cases.
Patches
This issue is patched in the latest stable, beta and tests-passed versions of Discourse.
Workarounds
None.