CVE-2021-37693

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2.7.8 Discourse versions prior to 2.8.0.beta4

Description The issue concerns the email verification process in Discourse. When adding an extra email address to an existing account, an email token is generated. If the additional email address is deleted, the unused token remains valid and can be used in other contexts, such as resetting a password.

Recommendations For versions prior to 2.7.8, update to version 2.7.8 or later to resolve the issue. For versions prior to 2.8.0.beta4, update to version 2.8.0.beta4 or later to resolve the issue.

Fix

Insufficient Session Expiration

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-613CWE-640

Related Identifiers

BIT-DISCOURSE-2021-37693

CVE-2021-37693

GHSA-9377-96F4-CWW4

Affected Products

Discourse

CVE-2021-37693

Weakness Enumeration

Related Identifiers

Affected Products

References · 5