Discourse is a platform for community discussion. Users who receive an invitation link that is not scoped to a single email address can enter any non-admin users email and gain access to their account when accepting the invitation. All users should upgrade to the latest version. A workaround is temporarily disabling invitations with SiteSetting.max_invites_per_day = 0 or scope them to individual email addresses.
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Discourse | Discourse | * | 2.8.10 (excluding) |
| Discourse | Discourse | 2.9.0-beta1 (including) | 2.9.0-beta1 (including) |
| Discourse | Discourse | 2.9.0-beta10 (including) | 2.9.0-beta10 (including) |
| Discourse | Discourse | 2.9.0-beta2 (including) | 2.9.0-beta2 (including) |
| Discourse | Discourse | 2.9.0-beta3 (including) | 2.9.0-beta3 (including) |
| Discourse | Discourse | 2.9.0-beta4 (including) | 2.9.0-beta4 (including) |
| Discourse | Discourse | 2.9.0-beta5 (including) | 2.9.0-beta5 (including) |
| Discourse | Discourse | 2.9.0-beta6 (including) | 2.9.0-beta6 (including) |
| Discourse | Discourse | 2.9.0-beta7 (including) | 2.9.0-beta7 (including) |
| Discourse | Discourse | 2.9.0-beta8 (including) | 2.9.0-beta8 (including) |
| Discourse | Discourse | 2.9.0-beta9 (including) | 2.9.0-beta9 (including) |
Assuming a user with a given identity, authorization is the process of determining whether that user can access a given resource, based on the user’s privileges and any permissions or other access-control specifications that apply to the resource. When access control checks are not applied consistently - or not at all - users are able to access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures, denial of service, and arbitrary code execution.