← Zuruck zu CVEs
CVE-2025-53102
CRITICAL9.8
Beschreibung
Discourse is an open-source community discussion platform. Prior to version 3.4.7 on the `stable` branch and version 3.5.0.beta.8 on the `tests-passed` branch, upon issuing a physical security key for 2FA, the server generates a WebAuthn challenge, which the client signs. The challenge is not cleared from the user’s session after authentication, potentially allowing reuse and increasing security risk. This is fixed in versions 3.4.7 and 3.5.0.beta.8.
CVE Details
CVSS v3.1 Bewertung9.8
SchweregradCRITICAL
CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AngriffsvektorNETWORK
KomplexitatLOW
Erforderliche PrivilegienNONE
BenutzerinteraktionNONE
Veroffentlicht7/29/2025
Zuletzt geandert8/25/2025
Quellenvd
Honeypot-Sichtungen0
Betroffene Produkte
discourse:discourse
Schwachen (CWE)
CWE-384
Referenzen
https://github.com/discourse/discourse/commit/20bf65099bb861a141bc10e8a4eab65329d91802(security-advisories@github.com)
https://github.com/discourse/discourse/commit/8bc0cee2c00a514ea60f33ea6172da2ce5a05beb(security-advisories@github.com)
https://github.com/discourse/discourse/security/advisories/GHSA-hv49-93h5-4wcv(security-advisories@github.com)
IOC Korrelationen
Keine Korrelationen erfasst
This product uses data from the NVD API but is not endorsed or certified by the NVD.