CVE-2022-31096

Published: Jun 27, 2022

Modified: Apr 23, 2025

PUBLISHED

CVSS v3.1

5.7

MEDIUM

Description

Discourse is an open source discussion platform. Under certain conditions, a logged in user can redeem an invite with an email that either doesn't match the invite's email or does not adhere to the email domain restriction of an invite link. The impact of this flaw is aggravated when the invite has been configured to add the user that accepts the invite into restricted groups. Once a user has been incorrectly added to a restricted group, the user may then be able to view content which that are restricted to the respective group. Users are advised to upgrade to the current stable releases. There are no known workarounds to this issue.

Vendor	Product	Versions
discourse	discourse	affected `< 2.8.5; stable branch` affected `< 2.9.0.beta6; beta brach`

Weaknesses (CWE)

CWE-281

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

References

https://github.com/discourse/discourse/security/advisories/GHSA-rvp8-459h-282r

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2022-31096

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References