
We found results for “”
CVE-2025-53102
Good to know:

Date: July 29, 2025
Discourse is an open-source community discussion platform. Prior to version 3.4.7 on the "stable" branch and version 3.5.0.beta.8 on the "tests-passed" branch, upon issuing a physical security key for 2FA, the server generates a WebAuthn challenge, which the client signs. The challenge is not cleared from the user’s session after authentication, potentially allowing reuse and increasing security risk. This is fixed in versions 3.4.7 and 3.5.0.beta.8.
Severity Score
Related Resources (5)
Severity Score
Weakness Type (CWE)
Session Fixation
CWE-384Top Fix

Upgrade Version
Upgrade to version https://github.com/discourse/discourse.git - v3.4.7;https://github.com/discourse/discourse.git - v3.5.0.beta8
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | HIGH |
Privileges Required (PR): | NONE |
User Interaction (UI): | NONE |
Scope (S): | UNCHANGED |
Confidentiality (C): | HIGH |
Integrity (I): | NONE |
Availability (A): | NONE |