CVE-2022-37458 : Discourse through 2.8.7 allows admins to send invitations to arbitrary email add

Discourse through 2.8.7 allows admins to send invitations to arbitrary email addresses at an unlimited rate.

Published 2022-09-02 12:15:11

Updated 2022-09-08 03:23:49

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2022-37458

Discourse » Discourse
Versions up to, including, (<=) 2.8.7
cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

0.11%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 31 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.2	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	1.2	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE-732 Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

Assigned by: nvd@nist.gov (Primary)

https://github.com/discourse/discourse/security/advisories/GHSA-q2rg-m477-8wg7

Email invitations to topics are not rate limited in some cases · Advisory · discourse/discourse · GitHub
Third Party Advisory
https://github.com/discourse/discourse/tags

Tags · discourse/discourse · GitHub
Release Notes;Third Party Advisory
https://www.enisa.europa.eu/topics/threat-risk-management/vulnerability-disclosure

Vulnerability Disclosure — ENISA
Third Party Advisory

CVEs referencing this url

Jump to