Home > Vulnerability Database > CVE-2021-37693

Mend.io Vulnerability Database

CVE-2021-37693

Date: August 13, 2021

Discourse is an open-source platform for community discussion. In Discourse before versions 2.7.8 and 2.8.0.beta4, when adding additional email addresses to an existing account on a Discourse site an email token is generated as part of the email verification process. Deleting the additional email address does not invalidate an unused token which can then be used in other contexts, including reseting a password.

Language: Ruby

Severity Score

5.3

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2021-37693

Url: https://github.com/discourse/discourse/security/advisories/GHSA-9377-96f4-cww4

Url: https://github.com/discourse/discourse/commit/fb14e50741a4880cda22244eded8858e2f5336ef

Url: https://www.mend.io/vulnerability-database/CVE-2021-37693

Severity Score

5.3

Weakness Type (CWE)

Insufficient Session Expiration

CWE-613

Weak Password Recovery Mechanism for Forgotten Password

CWE-640

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2021-37693

Date: August 13, 2021

Language: Ruby

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?