Vulnerability Description
Discourse is an open-source platform for community discussion. In Discourse before versions 2.7.8 and 2.8.0.beta4, when adding additional email addresses to an existing account on a Discourse site an email token is generated as part of the email verification process. Deleting the additional email address does not invalidate an unused token which can then be used in other contexts, including reseting a password.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Discourse | Discourse | < 2.7.8 |
Related Weaknesses (CWE)
References
- https://github.com/discourse/discourse/commit/fb14e50741a4880cda22244eded8858e2fPatchThird Party Advisory
- https://github.com/discourse/discourse/security/advisories/GHSA-9377-96f4-cww4Third Party Advisory
- https://github.com/discourse/discourse/commit/fb14e50741a4880cda22244eded8858e2fPatchThird Party Advisory
- https://github.com/discourse/discourse/security/advisories/GHSA-9377-96f4-cww4Third Party Advisory
FAQ
What is CVE-2021-37693?
CVE-2021-37693 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Discourse is an open-source platform for community discussion. In Discourse before versions 2.7.8 and 2.8.0.beta4, when adding additional email addresses to an existing account on a Discourse site an ...
How severe is CVE-2021-37693?
CVE-2021-37693 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-37693?
Check the references section above for vendor advisories and patch information. Affected products include: Discourse Discourse.