Home > Vulnerability Database > CVE-2021-37693

Mend.io Vulnerability Database

CVE-2021-37693

Good to know:

Date: August 13, 2021

Discourse is an open-source platform for community discussion. In Discourse before versions 2.7.8 and 2.8.0.beta4, when adding additional email addresses to an existing account on a Discourse site an email token is generated as part of the email verification process. Deleting the additional email address does not invalidate an unused token which can then be used in other contexts, including reseting a password.

Language: Ruby

Severity Score

7.5

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2021-37693

Url: https://github.com/discourse/discourse/security/advisories/GHSA-9377-96f4-cww4

Url: https://github.com/discourse/discourse/commit/fb14e50741a4880cda22244eded8858e2f5336ef

Url: https://www.mend.io/vulnerability-database/CVE-2021-37693

Severity Score

7.5

Weakness Type (CWE)

Insufficient Session Expiration

CWE-613

Weak Password Recovery Mechanism for Forgotten Password

CWE-640

Top Fix

Upgrade Version

Upgrade to version v2.7.7, v2.8.0

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2021-37693

Good to know:

Date: August 13, 2021

Language: Ruby

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?