Home > Vulnerability Database > CVE-2022-46177

Mend.io Vulnerability Database

CVE-2022-46177

Good to know:

Date: January 5, 2023

Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 3.0.0.beta16 on the `beta` and `tests-passed` branches, when a user requests for a password reset link email, then changes their primary email, the old reset email is still valid. When the old reset email is used to reset the password, the Discourse account's primary email would be re-linked to the old email. If the old email address is compromised or has transferred ownership, this leads to an account takeover. This is however mitigated by the SiteSetting `email_token_valid_hours` which is currently 48 hours. Users should upgrade to versions 2.8.14 or 3.0.0.beta15 to receive a patch. As a workaround, lower `email_token_valid_hours ` as needed.

Language: Ruby

Severity Score

8.1

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-46177

Url: https://github.com/discourse/discourse/commit/83944213b2b2454af80d0407f60d67641b1f0b38

Url: https://github.com/discourse/discourse/commit/4bf306f0e3bf54a9ef9c5886bf1cfb85c20da570

Url: https://github.com/discourse/discourse/security/advisories/GHSA-5www-jxvf-vrc3

Url: https://www.mend.io/vulnerability-database/CVE-2022-46177

Severity Score

8.1

Weakness Type (CWE)

Insufficient Session Expiration

CWE-613

Top Fix

Upgrade Version

Upgrade to version v2.8.14

Learn More

CVSS v3.1

Base Score:	8.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2022-46177

Good to know:

Date: January 5, 2023

Language: Ruby

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?