CVE-2021-37693
Last modified
CVE-2021-37693 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Discourse is an open-source platform for community discussion. In Discourse before versions 2.7.8 and 2.8.0.beta4, when adding additional email addresses to an existing account on a Discourse site an email token is generated as part of the email verification process. EPSS estimates a 0.83% chance of exploitation in the next 30 days.
Description
Discourse is an open-source platform for community discussion. In Discourse before versions 2.7.8 and 2.8.0.beta4, when adding additional email addresses to an existing account on a Discourse site an email token is generated as part of the email verification process. Deleting the additional email address does not invalidate an unused token which can then be used in other contexts, including reseting a password.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Discourse | Discourse | < 2.7.8 | — |
| Discourse | Discourse | 2.8.0 | Beta1 |
References
- https://github.com/discourse/discourse/commit/fb14e50741a4880cda22244eded8858e2f5336efPatch, Third Party Advisory
- https://github.com/discourse/discourse/security/advisories/GHSA-9377-96f4-cww4Third Party Advisory
- https://github.com/discourse/discourse/commit/fb14e50741a4880cda22244eded8858e2f5336efPatch, Third Party Advisory
- https://github.com/discourse/discourse/security/advisories/GHSA-9377-96f4-cww4Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-37693?
How severe is CVE-2021-37693?
How do I fix CVE-2021-37693?
Are you affected by CVE-2021-37693?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST