Skip to content

User account takeover via invite links

High
jomaxro published GHSA-x8w7-rwmr-w278 Nov 1, 2022

Package

No package listed

Affected versions

stable <= 2.8.9; beta <= 2.9.0.beta9; tests-passed <= 2.9.0.beta9

Patched versions

stable >= 2.8.10; beta >= 2.9.0.beta10; tests-passed >= 2.9.0.beta10

Description

Impact

Invitation links not restricted to a single invitee’s email address can be abused to gain improper access to existing accounts. By default, invitation links can only be generated by users with trust level 2 or above.

This vulnerability does not allow attackers to gain access to administrator accounts.

Patches

All sites should upgrade to the latest version. As a precaution, the fix will automatically log out any users who have previously logged in via an invite link. These users will need to re-authenticate to gain access to the forum.

Workarounds

Temporarily disable invitations with SiteSetting.max_invites_per_day = 0 or scope them to individual email addresses.

Severity

High

CVE ID

CVE-2022-39356

Weaknesses

Credits