CVE-2023-46241

Name of the Vulnerable Software and Affected Versions discourse-microsoft-auth plugin (affected versions not specified)

Description The discourse-microsoft-auth plugin enables authentication via Microsoft. On sites with this plugin enabled, an attack can potentially take control of a victim's Discourse account. Sites that have configured their application's account type to any options other than Accounts in this organizational directory only (O365 only - Single tenant) are vulnerable. A patch has been added in commit c40665f44509724b64938c85def9fb2e79f62ec8 of discourse-microsoft-auth.

Recommendations To resolve the issue, disable the discourse-microsoft-auth plugin by setting the microsoft auth enabled site setting to false. Run the microsoft auth:log out users rake task to log out all users with associated Microsoft accounts. Run the microsoft auth:revoke rake task to deactivate and log out all users that have connected their accounts to Microsoft, revoke user API keys and API keys created by those users, and remove the connection records to Microsoft for those users.