CVE-2022-39355

Name of the Vulnerable Software and Affected Versions Discourse Patreon plugin (affected versions not specified)

Description An improper authentication issue could be exploited to take control of a victim's forum account on sites with Patreon login enabled. This issue affects the synchronization between Discourse Groups and Patreon rewards. As a precautionary measure, Discourse accounts that have logged in with an unverified-email Patreon account will be logged out and asked to verify their email address on their next login.

Recommendations As a temporary workaround, consider disabling the Patreon integration and log out all users with associated Patreon accounts. Update the discourse-patreon plugin to a version that includes the patch commit number 846d012151514b35ce42a1636c7d70f6dcee879e.