BIT-discourse-2021-37693

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/discourse/BIT-discourse-2021-37693.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-discourse-2021-37693

Aliases

CVE-2021-37693

Published

2024-03-06T11:09:49.192Z

Modified

2025-04-03T14:40:37.652Z

Summary

[none]

Details

Discourse is an open-source platform for community discussion. In Discourse before versions 2.7.8 and 2.8.0.beta4, when adding additional email addresses to an existing account on a Discourse site an email token is generated as part of the email verification process. Deleting the additional email address does not invalidate an unused token which can then be used in other contexts, including reseting a password.

Database specific

{
    "cpes": [
        "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*"
    ],
    "severity": "High"
}

References

Affected packages

Bitnami / discourse

Package

Name: discourse
Purl: pkg:bitnami/discourse

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.7.8