← Back

CVE-2022-46177

nvd nist
Published: Jan 5, 2023Modified: Nov 21, 2024

JSON object

Loading...
8.1
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Exploitability: 2.8 / Impact: 5.2
Source: NVD

Description

Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 3.0.0.beta16 on the `beta` and `tests-passed` branches, when a user requests for a password reset link email, then changes their primary email, the old reset email is still valid. When the old reset email is used to reset the password, the Discourse account's primary email would be re-linked to the old email. If the old email address is compromised or has transferred ownership, this leads to an account takeover. This is however mitigated by the SiteSetting `email_token_valid_hours` which is currently 48 hours. Users should upgrade to versions 2.8.14 or 3.0.0.beta15 to receive a patch. As a workaround, lower `email_token_valid_hours ` as needed.

Affected (206)

Products: Discourse: Discourse
Discourse
1 product
Discourse
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Discourse
Before 2.8.14
Configuration B
205 vulnerable
Vulnerable SoftwareAffected Versions
Discourse
Discourse
Version 1.1.0 beta1
Discourse
Version 1.1.0 beta2
Discourse
Version 1.1.0 beta3
Discourse
Version 1.1.0 beta4
Discourse
Version 1.1.0 beta5
Discourse
Version 1.1.0 beta6
Discourse
Version 1.1.0 beta6b
Discourse
Version 1.1.0 beta7
Discourse
Version 1.1.0 beta8
Discourse
Version 1.2.0 beta1
Discourse
Version 1.2.0 beta2
Discourse
Version 1.2.0 beta3
Discourse
Version 1.2.0 beta4
Discourse
Version 1.2.0 beta5
Discourse
Version 1.2.0 beta6
Discourse
Version 1.2.0 beta7
Discourse
Version 1.2.0 beta8
Discourse
Version 1.2.0 beta9
Discourse
Version 1.3.0 beta10
Discourse
Version 1.3.0 beta11
Discourse
Version 1.3.0 beta1
Discourse
Version 1.3.0 beta2
Discourse
Version 1.3.0 beta3
Discourse
Version 1.3.0 beta4
Discourse
Version 1.3.0 beta5
Discourse
Version 1.3.0 beta6
Discourse
Version 1.3.0 beta7
Discourse
Version 1.3.0 beta8
Discourse
Version 1.3.0 beta9
Discourse
Version 1.4.0 beta10
Discourse
Version 1.4.0 beta11
Discourse
Version 1.4.0 beta12
Discourse
Version 1.4.0 beta1
Discourse
Version 1.4.0 beta2
Discourse
Version 1.4.0 beta3
Discourse
Version 1.4.0 beta4
Discourse
Version 1.4.0 beta5
Discourse
Version 1.4.0 beta6
Discourse
Version 1.4.0 beta7
Discourse
Version 1.4.0 beta8
Discourse
Version 1.4.0 beta9
Discourse
Version 1.5.0 beta10
Discourse
Version 1.5.0 beta11
Discourse
Version 1.5.0 beta12
Discourse
Version 1.5.0 beta13
Discourse
Version 1.5.0 beta13b
Discourse
Version 1.5.0 beta14
Discourse
Version 1.5.0 beta1
Discourse
Version 1.5.0 beta2
Discourse
Version 1.5.0 beta3
Discourse
Version 1.5.0 beta4
Discourse
Version 1.5.0 beta5
Discourse
Version 1.5.0 beta6
Discourse
Version 1.5.0 beta7
Discourse
Version 1.5.0 beta8
Discourse
Version 1.5.0 beta9
Discourse
Version 1.6.0 beta10
Discourse
Version 1.6.0 beta11
Discourse
Version 1.6.0 beta12
Discourse
Version 1.6.0 beta1
Discourse
Version 1.6.0 beta2
Discourse
Version 1.6.0 beta3
Discourse
Version 1.6.0 beta4
Discourse
Version 1.6.0 beta5
Discourse
Version 1.6.0 beta6
Discourse
Version 1.6.0 beta7
Discourse
Version 1.6.0 beta8
Discourse
Version 1.6.0 beta9
Discourse
Version 1.7.0 beta10
Discourse
Version 1.7.0 beta11
Discourse
Version 1.7.0 beta1
Discourse
Version 1.7.0 beta2
Discourse
Version 1.7.0 beta3
Discourse
Version 1.7.0 beta4
Discourse
Version 1.7.0 beta5
Discourse
Version 1.7.0 beta6
Discourse
Version 1.7.0 beta7
Discourse
Version 1.7.0 beta8
Discourse
Version 1.7.0 beta9
Discourse
Version 1.8.0 beta10
Discourse
Version 1.8.0 beta11
Discourse
Version 1.8.0 beta12
Discourse
Version 1.8.0 beta13
Discourse
Version 1.8.0 beta1
Discourse
Version 1.8.0 beta2
Discourse
Version 1.8.0 beta3
Discourse
Version 1.8.0 beta4
Discourse
Version 1.8.0 beta5
Discourse
Version 1.8.0 beta6
Discourse
Version 1.8.0 beta7
Discourse
Version 1.8.0 beta8
Discourse
Version 1.8.0 beta9
Discourse
Version 1.9.0 beta10
Discourse
Version 1.9.0 beta11
Discourse
Version 1.9.0 beta12
Discourse
Version 1.9.0 beta13
Discourse
Version 1.9.0 beta14
Discourse
Version 1.9.0 beta15
Discourse
Version 1.9.0 beta16
Discourse
Version 1.9.0 beta17
Discourse
Version 1.9.0 beta1
Discourse
Version 1.9.0 beta2
Discourse
Version 1.9.0 beta3
Discourse
Version 1.9.0 beta4
Discourse
Version 1.9.0 beta5
Discourse
Version 1.9.0 beta6
Discourse
Version 1.9.0 beta7
Discourse
Version 1.9.0 beta8
Discourse
Version 1.9.0 beta9
Discourse
Version 2.0.0 beta10
Discourse
Version 2.0.0 beta1
Discourse
Version 2.0.0 beta2
Discourse
Version 2.0.0 beta3
Discourse
Version 2.0.0 beta4
Discourse
Version 2.0.0 beta5
Discourse
Version 2.0.0 beta6
Discourse
Version 2.0.0 beta7
Discourse
Version 2.0.0 beta8
Discourse
Version 2.0.0 beta9
Discourse
Version 2.1.0 beta1
Discourse
Version 2.1.0 beta2
Discourse
Version 2.1.0 beta3
Discourse
Version 2.1.0 beta4
Discourse
Version 2.1.0 beta5
Discourse
Version 2.1.0 beta6
Discourse
Version 2.2.0 beta10
Discourse
Version 2.2.0 beta1
Discourse
Version 2.2.0 beta2
Discourse
Version 2.2.0 beta3
Discourse
Version 2.2.0 beta4
Discourse
Version 2.2.0 beta5
Discourse
Version 2.2.0 beta6
Discourse
Version 2.2.0 beta7
Discourse
Version 2.2.0 beta8
Discourse
Version 2.2.0 beta9
Discourse
Version 2.3.0 beta10
Discourse
Version 2.3.0 beta11
Discourse
Version 2.3.0 beta1
Discourse
Version 2.3.0 beta2
Discourse
Version 2.3.0 beta3
Discourse
Version 2.3.0 beta4
Discourse
Version 2.3.0 beta5
Discourse
Version 2.3.0 beta6
Discourse
Version 2.3.0 beta7
Discourse
Version 2.3.0 beta8
Discourse
Version 2.3.0 beta9
Discourse
Version 2.4.0 beta10
Discourse
Version 2.4.0 beta11
Discourse
Version 2.4.0 beta1
Discourse
Version 2.4.0 beta2
Discourse
Version 2.4.0 beta3
Discourse
Version 2.4.0 beta4
Discourse
Version 2.4.0 beta5
Discourse
Version 2.4.0 beta6
Discourse
Version 2.4.0 beta7
Discourse
Version 2.4.0 beta8
Discourse
Version 2.4.0 beta9
Discourse
Version 2.5.0 beta1
Discourse
Version 2.5.0 beta2
Discourse
Version 2.5.0 beta3
Discourse
Version 2.5.0 beta4
Discourse
Version 2.5.0 beta5
Discourse
Version 2.5.0 beta6
Discourse
Version 2.5.0 beta7
Discourse
Version 2.6.0 beta1
Discourse
Version 2.6.0 beta2
Discourse
Version 2.6.0 beta3
Discourse
Version 2.6.0 beta4
Discourse
Version 2.6.0 beta5
Discourse
Version 2.6.0 beta6
Discourse
Version 2.7.0 beta1
Discourse
Version 2.7.0 beta2
Discourse
Version 2.7.0 beta3
Discourse
Version 2.7.0 beta4
Discourse
Version 2.7.0 beta5
Discourse
Version 2.7.0 beta6
Discourse
Version 2.7.0 beta7
Discourse
Version 2.7.0 beta8
Discourse
Version 2.7.0 beta9
Discourse
Version 2.8.0 beta10
Discourse
Version 2.8.0 beta11
Discourse
Version 2.8.0 beta1
Discourse
Version 2.8.0 beta2
Discourse
Version 2.8.0 beta3
Discourse
Version 2.8.0 beta4
Discourse
Version 2.8.0 beta5
Discourse
Version 2.8.0 beta6
Discourse
Version 2.8.0 beta7
Discourse
Version 2.8.0 beta8
Discourse
Version 2.8.0 beta9
Discourse
Version 2.9.0 beta10
Discourse
Version 2.9.0 beta11
Discourse
Version 2.9.0 beta12
Discourse
Version 2.9.0 beta13
Discourse
Version 2.9.0 beta14
Discourse
Version 2.9.0 beta1
Discourse
Version 2.9.0 beta2
Discourse
Version 2.9.0 beta3
Discourse
Version 2.9.0 beta4
Discourse
Version 2.9.0 beta5
Discourse
Version 2.9.0 beta6
Discourse
Version 2.9.0 beta7
Discourse
Version 2.9.0 beta8
Discourse
Version 2.9.0 beta9
Discourse
Version 3.0.0 beta15

Related CWEs

CWE-613
Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

References (6)

Source: security-advisories@github.com
PatchThird Party Advisory
Source: security-advisories@github.com
PatchThird Party Advisory
Source: security-advisories@github.com
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory

Timeline

No history available yet.