Impact
Invitation links not restricted to a single invitee’s email address can be abused to gain improper access to existing accounts. By default, invitation links can only be generated by users with trust level 2 or above.
This vulnerability does not allow attackers to gain access to administrator accounts.
Patches
All sites should upgrade to the latest version. As a precaution, the fix will automatically log out any users who have previously logged in via an invite link. These users will need to re-authenticate to gain access to the forum.
Workarounds
Temporarily disable invitations with SiteSetting.max_invites_per_day = 0 or scope them to individual email addresses.
Impact
Invitation links not restricted to a single invitee’s email address can be abused to gain improper access to existing accounts. By default, invitation links can only be generated by users with trust level 2 or above.
This vulnerability does not allow attackers to gain access to administrator accounts.
Patches
All sites should upgrade to the latest version. As a precaution, the fix will automatically log out any users who have previously logged in via an invite link. These users will need to re-authenticate to gain access to the forum.
Workarounds
Temporarily disable invitations with
SiteSetting.max_invites_per_day = 0or scope them to individual email addresses.