CVE-2022-21684

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2.7.13 Discourse version 2.8.0.beta11 in beta and tests-passed

Description The issue allows some users to log in to a community before they should be able to do so. A user invited via email to a forum with must approve users enabled can bypass the check that does not allow unapproved users to sign in. They will have the same capabilities as an approved user, but will not be able to log back in after logging out.

Recommendations For versions prior to 2.7.13, update to version 2.7.13 or later. For version 2.8.0.beta11 in beta and tests-passed, update to a later version. As a temporary workaround, consider disabling invites or increase min trust level to allow invite to reduce the attack surface to more trusted users.