DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2019-1020018: CVE-2019-1020018: Lack of Confirmation Screen in Discourse Email Login

#security #cve #cybersecurity

CVE-2019-1020018: Lack of Confirmation Screen in Discourse Email Login

Vulnerability ID: CVE-2019-1020018
CVSS Score: 7.3
Published: 2019-07-29

A critical authentication vulnerability exists in Discourse versions prior to 2.3.0 and 2.4.0.beta3. The vulnerability arises from a failure to implement a confirmation screen during the email login process, where clicking a magic link immediately authenticates the user via a GET request. This behavior violates HTTP idempotency principles, allowing email security scanners, link pre-fetchers, and potentially malicious scripts to inadvertently trigger authentication and invalidate the single-use login token before the user can intentionally access the application.

TL;DR

Discourse improperly handled email login links by authenticating users immediately upon an HTTP GET request to the token URL. This allowed automated systems (like email scanners) to consume the one-time token, breaking the login process for legitimate users and potentially establishing sessions unintentionally. The fix requires an intermediate confirmation screen requiring a POST request.

Technical Details

  • CWE ID: CWE-287
  • Attack Vector: Network
  • CVSS Score: 7.3 (High)
  • EPSS Score: 0.00294 (0.29%)
  • Impact: Session Management / Denial of Service
  • Exploit Status: No Known Public Exploit

Affected Systems

  • Discourse < 2.3.0
  • Discourse 2.4.x < 2.4.0.beta3
  • Discourse: < 2.3.0 (Fixed in: 2.3.0)
  • Discourse: 2.4.x < 2.4.0.beta3 (Fixed in: 2.4.0.beta3)

Code Analysis

Commit: 52387be

Initial fix introducing the confirmation screen logic

@@ -1,3 +1,3 @@ skip_before_action :check_xhr, only: %i(sso sso_login ...)
Enter fullscreen mode Exit fullscreen mode

Commit: b8340c6

Merge of security fix into stable branch

@@ -10,7 +10,7 @@ post "session/email-login/:token" => "session#email_login"
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade Discourse to a non-vulnerable version.
  • Implement intermediate confirmation screens for all magic-link implementations.
  • Ensure state-changing operations are never bound to HTTP GET requests.

Remediation Steps:

  1. Identify the current Discourse version via the admin dashboard or /about endpoint.
  2. If running a version prior to 2.3.0, schedule an immediate upgrade.
  3. If running a 2.4.x beta, upgrade to at least 2.4.0.beta3.
  4. Pull the latest Docker images: ./launcher rebuild app.
  5. Verify the fix by requesting a login email and ensuring a 'Click here to log in' button appears after clicking the link.

References

Read the full report for CVE-2019-1020018 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)