CVE-2021-37693 MEDIUM

CVE-2021-37693: Re-use of email tokens in Discourse

Vendor Discourse
Product discourse
Weakness CWE-640 · Weak password recovery
Published August 13, 2021
Last update August 4, 2024

CVSS base score

5.3/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Discourse is an open-source platform for community discussion. In Discourse before versions 2.7.8 and 2.8.0.beta4, when adding additional email addresses to an existing account on a Discourse site an email token is generated as part of the email verification process. Deleting the additional email address does not invalidate an unused token which can then be used in other contexts, including reseting a password.

Key dates

02Disclosure timeline

August 13, 2021 CVE published
August 4, 2024 Record updated

Related vulnerabilities

04Related CVE