PT-2022-20469 · Discourse · Discourse
Lowjomaxro
·
Published
2022-06-03
·
Updated
2025-10-14
·
CVE-2022-31025
CVSS v2.0
5.0
Medium
| Vector | AV:N/AC:L/Au:N/C:N/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
Discourse versions prior to 2.8.4 on the stable branch
Discourse versions prior to 2.9.0beta5 on the beta and tests-passed branches
Description
The issue affects Discourse, an open source platform for community discussion. Inviting users on sites that use single sign-on could bypass the
must approve users check, and invites by staff are always approved automatically.Recommendations
For versions prior to 2.8.4 on the stable branch, update to version 2.8.4 or later.
For versions prior to 2.9.0beta5 on the beta and tests-passed branches, update to version 2.9.0beta5 or later.
As a temporary workaround, consider disabling invites or increase
min trust level to allow invite to reduce the attack surface to more trusted users.Exploit
Fix
Improper Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Discourse