CVE-2022-31184 — Email activation route can be abused by spammers in Discourse

Description

Discourse is the an open source discussion platform. In affected versions an email activation route can be abused to send mass spam emails. A fix has been included in the latest stable, beta and tests-passed versions of Discourse which rate limits emails. Users are advised to upgrade. Users unable to upgrade should manually rate limit email.

How to fix CVE-2022-31184

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2022-31184 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 2.8.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (3)

WEBgithub.com/discourse/discourse/commit/af1cb735db7fb73217b85d22dbadd1bc824ac0b0
WEBgithub.com/discourse/discourse/security/advisories/GHSA-m5w9-8gp8-2hrf
WEBnvd.nist.gov/vuln/detail/CVE-2022-31184