CVE-2021-3138 – Discourse 2.7.0 2FA Bypass
https://notcve.org/view.php?id=CVE-2021-3138
In Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain forms. En Discourse versiones 2.7.0 hasta beta1, una omisión del límite de velocidad conlleva a una omisión del requisito de 2FA para determinadas formularios Discourse version 2.7.0 suffers from a 2FA bypass via a rate limiting bypass vulnerability. • https://github.com/Mesh3l911/CVE-2021-3138 http://packetstormsecurity.com/files/162256/Discourse-2.7.0-2FA-Bypass.html https://github.com/Mesh3l911/Disource https://github.com/discourse/discourse/releases • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVE-2019-1020018
https://notcve.org/view.php?id=CVE-2019-1020018
Discourse before 2.3.0 and 2.4.x before 2.4.0.beta3 lacks a confirmation screen when logging in via an email link. Discourse en versiones anteriores a la 2.3.0 y 2.4.x en versiones anteriores a la 2.4.0.beta3 carece de una pantalla de confirmación cuando se inicia sesión mediante un enlace de correo electrónico. • https://github.com/discourse/discourse/commit/52387be4a44cdeaca5421ee955ba1343e836bade https://github.com/discourse/discourse/commit/b8340c6c8e50a71ff1bca9654b9126ca5a84ce9a • CWE-287: Improper Authentication •
CVE-2019-1020017
https://notcve.org/view.php?id=CVE-2019-1020017
Discourse before 2.3.0 and 2.4.x before 2.4.0.beta3 lacks a confirmation screen when logging in via a user-api OTP. Discourse en versiones anteriores a la 2.3.0 y 2.4.x en versiones anteriores a la 2.4.0.beta3, carece de una pantalla de confirmación cuando se inicia sesión mediante un usuario de la api OTP. • https://github.com/discourse/discourse/commit/b8340c6c8e50a71ff1bca9654b9126ca5a84ce9a https://github.com/discourse/discourse/commit/e6e47f2fb22764c92aaa90445c7bf203192fba11 •