Discourse is an open source platform for community discussion. Prior to version 2.8.4 on the stable
branch and 2.9.0beta5 on the beta
and tests-passed
branches, inviting users on sites that use single sign-on could bypass the must_approve_users
check and invites by staff are always approved automatically. The issue is patched in Discourse version 2.8.4 on the stable
branch and version 2.9.0.beta5
on the beta
and tests-passed
branches. As a workaround, disable invites or increase min_trust_level_to_allow_invite
to reduce the attack surface to more trusted users.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Discourse | Discourse | * | 2.8.4 (excluding) |
Discourse | Discourse | 2.9.0-beta1 (including) | 2.9.0-beta1 (including) |
Discourse | Discourse | 2.9.0-beta2 (including) | 2.9.0-beta2 (including) |
Discourse | Discourse | 2.9.0-beta3 (including) | 2.9.0-beta3 (including) |
Discourse | Discourse | 2.9.0-beta4 (including) | 2.9.0-beta4 (including) |