What is the severity of CVE-2021-37693?

CVE-2021-37693 has a medium severity rating due to potential issues related to email token generation and account verification.

How do I fix CVE-2021-37693?

To fix CVE-2021-37693, upgrade to Discourse version 2.7.8 or later, or 2.8.0-beta4 or later.

What systems are affected by CVE-2021-37693?

CVE-2021-37693 affects Discourse versions prior to 2.7.8 and 2.8.0-beta4, including beta versions of 2.8.0 up to beta3.

What are the potential impacts of CVE-2021-37693?

Exploiting CVE-2021-37693 may allow attackers to bypass email verification processes when adding additional email addresses to accounts.

Is CVE-2021-37693 related to email accounts in Discourse?

Yes, CVE-2021-37693 specifically involves vulnerabilities in the email verification process when adding additional email addresses to existing Discourse accounts.

Vulnerability/
CVE-2021-37693

high

7.5

CWE

613 640

13/8/2021

4/8/2024

CVE-2021-37693: Re-use of email tokens in Discourse

First published: Fri Aug 13 2021(Updated: )

Discourse is an open-source platform for community discussion. In Discourse before versions 2.7.8 and 2.8.0.beta4, when adding additional email addresses to an existing account on a Discourse site an email token is generated as part of the email verification process. Deleting the additional email address does not invalidate an unused token which can then be used in other contexts, including reseting a password.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Discourse	<2.7.8
Discourse	=2.8.0-beta1
Discourse	=2.8.0-beta2
Discourse	=2.8.0-beta3

Remedy

https://github.com/discourse/discourse/commit/fb14e50741a4880cda22244eded8858e2f5336ef

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2021-37693?
CVE-2021-37693 has a medium severity rating due to potential issues related to email token generation and account verification.
How do I fix CVE-2021-37693?
To fix CVE-2021-37693, upgrade to Discourse version 2.7.8 or later, or 2.8.0-beta4 or later.
What systems are affected by CVE-2021-37693?
CVE-2021-37693 affects Discourse versions prior to 2.7.8 and 2.8.0-beta4, including beta versions of 2.8.0 up to beta3.
What are the potential impacts of CVE-2021-37693?
Exploiting CVE-2021-37693 may allow attackers to bypass email verification processes when adding additional email addresses to accounts.
Is CVE-2021-37693 related to email accounts in Discourse?
Yes, CVE-2021-37693 specifically involves vulnerabilities in the email verification process when adding additional email addresses to existing Discourse accounts.

agent/references
agent/weakness
agent/softwarecombine
agent/type
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/author
agent/severity
agent/title
agent/remedy
agent/first-publish-date
agent/event
agent/description
agent/source
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
vendor/discourse
canonical/discourse
version/discourse/2.8.0-beta1
version/discourse/2.8.0-beta2
version/discourse/2.8.0-beta3

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.