CVE-2021-3138
7.5 HIGHIn Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain forms
Published: 2021-01-14 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 7.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- CWE
- CWE-307
Affected products
| Vendor | Product |
|---|---|
| discourse | discourse |
Description
In Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain forms.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-3138
- [Exploit reference]http://packetstormsecurity.com/files/162256/Discourse-2.7.0-2FA-Bypass.html
- [Other]https://github.com/Mesh3l911/Disource
- [Other]https://github.com/discourse/discourse/releases
- [Exploit reference]http://packetstormsecurity.com/files/162256/Discourse-2.7.0-2FA-Bypass.html
- [Other]https://github.com/Mesh3l911/Disource
- [Other]https://github.com/discourse/discourse/releases
Related CVEs
Same vendor
- CVE-2026-34154 — Discourse is an open-source discussion platform (5.3 MEDIUM)
- CVE-2026-33514 — Discourse is an open-source discussion platform (4.3 MEDIUM)
- CVE-2026-32244 — Discourse is an open-source discussion platform (5.3 MEDIUM)
- CVE-2021-41163 — Discourse is an open source platform for community discussion (10.0 CRITICAL)
- CVE-2021-41140 — Discourse-reactions is a plugin for the Discourse platform that allows user to add their reactions to the post (5.3 MEDIUM)
Same CWE
- CVE-2026-6853 — Improper restriction of excessive authentication attempts vulnerability in Başbelen Group Food Cafe Businesses Industry and Trade Ltd (9.8 CRITICAL)
- CVE-2026-3329 — A remote unauthenticated attacker may be able to conduct credential-guessing attacks against user accounts in Sonatype Nexus Repository v...
- CVE-2026-43926 — FOSSBilling is a free, open-source billing and client management system
- CVE-2026-36612 — Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 enables WPS 2.0 by default with a weak lockout policy (60-second lockout after 1... (6.4 MEDIUM)
- CVE-2026-36607 — Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 allows unauthenticated brute-force attacks via the TDDP password change e... (8.8 HIGH)