Executive Summary

Informations
Name CVE-2022-46177 First vendor Publication 2023-01-05
Vendor Cve Last vendor Modification 2023-01-13

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Overall CVSS Score 8.1
Base Score 8.1 Environmental Score 8.1
impact SubScore 5.2 Temporal Score 8.1
Exploitabality Sub Score 2.8
 
Attack Vector Network Attack Complexity Low
Privileges Required None User Interaction Required
Scope Unchanged Confidentiality Impact High
Integrity Impact High Availability Impact None
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score N/A Attack Range N/A
Cvss Impact Score N/A Attack Complexity N/A
Cvss Expoit Score N/A Authentication N/A
Calculate full CVSS 2.0 Vectors scores

Detail

Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 3.0.0.beta16 on the `beta` and `tests-passed` branches, when a user requests for a password reset link email, then changes their primary email, the old reset email is still valid. When the old reset email is used to reset the password, the Discourse account's primary email would be re-linked to the old email. If the old email address is compromised or has transferred ownership, this leads to an account takeover. This is however mitigated by the SiteSetting `email_token_valid_hours` which is currently 48 hours. Users should upgrade to versions 2.8.14 or 3.0.0.beta15 to receive a patch. As a workaround, lower `email_token_valid_hours ` as needed.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46177

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-613 Insufficient Session Expiration

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 210

Sources (Detail)

Source Url
MISC https://github.com/discourse/discourse/commit/4bf306f0e3bf54a9ef9c5886bf1cfb8...
https://github.com/discourse/discourse/commit/83944213b2b2454af80d0407f60d676...
https://github.com/discourse/discourse/security/advisories/GHSA-5www-jxvf-vrc3

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Date Informations
2024-08-02 13:42:45
  • Multiple Updates
2024-08-02 01:31:05
  • Multiple Updates
2024-02-02 02:40:27
  • Multiple Updates
2024-02-01 12:28:25
  • Multiple Updates
2023-09-05 13:35:49
  • Multiple Updates
2023-09-05 01:27:48
  • Multiple Updates
2023-09-02 13:33:28
  • Multiple Updates
2023-09-02 01:28:13
  • Multiple Updates
2023-08-12 13:40:17
  • Multiple Updates
2023-08-12 01:27:31
  • Multiple Updates
2023-08-11 13:31:07
  • Multiple Updates
2023-08-11 01:28:22
  • Multiple Updates
2023-08-06 13:28:39
  • Multiple Updates
2023-08-06 01:27:12
  • Multiple Updates
2023-08-04 13:29:06
  • Multiple Updates
2023-08-04 01:27:34
  • Multiple Updates
2023-07-14 13:29:04
  • Multiple Updates
2023-07-14 01:27:16
  • Multiple Updates
2023-03-29 02:29:02
  • Multiple Updates
2023-03-28 12:27:21
  • Multiple Updates
2023-03-24 02:15:07
  • Multiple Updates
2023-01-13 21:27:22
  • Multiple Updates
2023-01-06 00:27:12
  • First insertion