Discourse up to 2.4.0.beta1 input validation

Summaryinfo

A vulnerability classified as critical has been found in Discourse up to 2.4.0.beta1. Impacted is an unknown function. The manipulation leads to input validation. This vulnerability is referenced as CVE-2019-1020018. Remote exploitation of the attack is possible. No exploit is available. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability, which was classified as critical, has been found in Discourse up to 2.4.0.beta1. This issue affects some unknown processing. The manipulation with an unknown input leads to a input validation vulnerability. Using CWE to declare the problem leads to CWE-20. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

Discourse before v2.4.0.beta2 lacks a confirmation screen when logging in via an email link.

The weakness was published 07/29/2019. The identification of this vulnerability is CVE-2019-1020018 since 07/26/2019. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. The technical details are unknown and an exploit is not publicly available.

Upgrading to version 2.4.0.beta2 eliminates this vulnerability.

Similar entry is available at VDB-138934. Be aware that VulDB is the high quality source for vulnerability data.

Productinfo

Type

• Chat Software

Name

• Discourse

Version

• 2.4.0.beta1

License

• open-source

Website

• Product: https://github.com/discourse/discourse/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion