Luqiihadia

**Name of the Vulnerable Software and Affected Versions** discourse-microsoft-auth plugin (affected versions not specified) **Description** The `discourse-microsoft-auth` plugin enables authentication via Microsoft. On sites with this plugin enabled, an attack can potentially take control of a victim's Discourse account. Sites that have configured their application's account type to any options other than `Accounts in this organizational directory only (O365 only - Single tenant)` are vulnerable. A patch has been added in commit c40665f44509724b64938c85def9fb2e79f62ec8 of `discourse-microsoft-auth`. **Recommendations** To resolve the issue, disable the `discourse-microsoft-auth` plugin by setting the `microsoft auth enabled` site setting to `false`. Run the `microsoft auth:log out users` rake task to log out all users with associated Microsoft accounts. Run the `microsoft auth:revoke` rake task to deactivate and log out all users that have connected their accounts to Microsoft, revoke user API keys and API keys created by those users, and remove the connection records to Microsoft for those users.

**Name of the Vulnerable Software and Affected Versions** Galaxy versions prior to 22.05 **Description** Galaxy is an open-source platform for FAIR data analysis. It is vulnerable to server-side request forgery, which allows a malicious entity to issue arbitrary HTTP/HTTPS requests from the application server to internal hosts and read their responses. **Recommendations** For Galaxy versions prior to 22.05, update to version 22.05 to resolve the issue. As a temporary workaround, consider restricting access to internal hosts to minimize the risk of exploitation.