CVE-2022-46177

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2.8.14 on the stable branch Discourse versions prior to 3.0.0.beta15 on the beta and tests-passed branches

Description Discourse is an option source discussion platform. When a user requests a password reset link email and then changes their primary email, the old reset email remains valid. If the old reset email is used to reset the password, the Discourse account's primary email would be re-linked to the old email, potentially leading to an account takeover if the old email address is compromised or has transferred ownership. This issue is mitigated by the SiteSetting email token valid hours, which is currently set to 48 hours.

Recommendations For versions prior to 2.8.14 on the stable branch, upgrade to version 2.8.14 to receive a patch. For versions prior to 3.0.0.beta15 on the beta and tests-passed branches, upgrade to version 3.0.0.beta15 to receive a patch. As a temporary workaround, consider lowering the email token valid hours setting as needed to minimize the risk of exploitation.