CVE-2021-37693: 
NixOS vulnerability analysis and mitigation

Discourse, an open-source platform for community discussion, was found to have a security vulnerability (CVE-2021-37693) affecting versions before 2.7.8 and 2.8.0.beta4. The vulnerability was discovered and disclosed on August 13, 2021. The issue affected the email verification process when users add additional email addresses to their existing accounts (GitHub Advisory).

The vulnerability stems from improper handling of email tokens during the email verification process. When users add additional email addresses to their accounts, an email token is generated for verification. However, if the additional email address is deleted, the system fails to invalidate the unused token. The severity of this vulnerability is rated as HIGH with a CVSS v3.1 score of 7.5 (NVD).

The vulnerability allows unused email tokens to remain valid even after the associated email address is deleted. These tokens could then be exploited in other contexts, including password reset operations, potentially leading to unauthorized account access (GitHub Advisory).

The issue has been patched in Discourse versions 2.7.8 and 2.8.0.beta4 and later. The fix involves properly destroying EmailTokens when EmailChangeRequest is destroyed. Users are advised to upgrade to the patched versions (GitHub Commit).