Makuga01

**Name of the Vulnerable Software and Affected Versions** omniauth-microsoft graph versions prior to 2.0.0 **Description** The implementation did not validate the legitimacy of the `email` attribute of the user nor did it give or document an option to do so, making it susceptible to nOAuth misconfiguration in cases when the `email` is used as a trusted user identifier. This could lead to account takeover. **Recommendations** For versions prior to 2.0.0, update to version 2.0.0 to resolve the issue. As a temporary workaround, consider validating the legitimacy of the `email` attribute manually until a patch is applied. Restrict the use of the `email` attribute as a trusted user identifier to minimize the risk of exploitation.