漏洞关键信息 漏洞概述 标题: Insecure default configuration allows non-admin moderators to non-staff accounts via email change 严重性: Moderate (5.1/10) CVE ID: CVE-2025-69289 影响 影响范围: A privilege escalation vulnerability allows a non-admin moderator to bypass email-change restrictions, allowing a takeover of non-staff accounts. 影响版本和修复版本 受影响版本: - >= 0 - >= 2025.11.0-latest - >= 2025.12.0-latest - >= 2026.1.0-latest 修复版本: - 3.5.4 - 2025.11.2 - 2025.12.1 - 2026.1.0 技术指标 利用指标: - Attack Vector: Network - Attack Complexity: Low - Attack Requirements: None - Privileges Required: High - User interaction: None 漏洞系统影响指标: - Confidentiality: Low - Integrity: Low - Availability: Non 后续系统影响指标: - Confidentiality: None - Integrity: None - Availability: None 缓解措施 Ensure moderators are trusted. Or enable the "require_change_email_confirmation" setting. 其他信息 CVSS: 4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVE ID: CVE-2025-69289 Weaknesses: No CWEs 发布者: davidtaylorhq 发布时间: 3 hours ago