CVE-2022-39356

Published: Nov 2, 2022Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Discourse is a platform for community discussion. Users who receive an invitation link that is not scoped to a single email address can enter any non-admin user's email and gain access to their account when accepting the invitation. All users should upgrade to the latest version. A workaround is temporarily disabling invitations with `SiteSetting.max_invites_per_day = 0` or scope them to individual email addresses.

Affected (11)

Products: Discourse: Discourse

Discourse

1 product

Discourse

Configuration A

11 vulnerable

Vulnerable Software	Affected Versions
Discourse Discourse	Before 2.8.10
Discourse Discourse	Version 2.9.0 beta10
Discourse Discourse	Version 2.9.0 beta1
Discourse Discourse	Version 2.9.0 beta2
Discourse Discourse	Version 2.9.0 beta3
Discourse Discourse	Version 2.9.0 beta4
Discourse Discourse	Version 2.9.0 beta5
Discourse Discourse	Version 2.9.0 beta6
Discourse Discourse	Version 2.9.0 beta7
Discourse Discourse	Version 2.9.0 beta8
Discourse Discourse	Version 2.9.0 beta9