Discourse is a platform for community discussion. Users who receive an invitation link that is not scoped to a single email address can enter any non-admin user's email and gain access to their account when accepting the invitation. All users should upgrade to the latest version. A workaround is temporarily disabling invitations with `SiteSetting.max_invites_per_day = 0` or scope them to individual email addresses.
References
Link | Resource |
---|---|
https://github.com/discourse/discourse/pull/18817 | Patch Third Party Advisory |
https://github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278 | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2022-11-02T00:00:00
Updated: 2022-11-02T00:00:00
Reserved: 2022-09-02T00:00:00
Link: CVE-2022-39356
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-11-02T17:15:17.520
Modified: 2023-06-27T17:27:11.653
Link: CVE-2022-39356
JSON object: View
Redhat Information
No data.
CWE