1 results (0.002 seconds)

CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0

`discourse-microsoft-auth` is a plugin that enables authentication via Microsoft. On sites with the `discourse-microsoft-auth` plugin enabled, an attack can potentially take control of a victim's Discourse account. Sites that have configured their application's account type to any options other than `Accounts in this organizational directory only (O365 only - Single tenant)` are vulnerable. This vulnerability has been patched in commit c40665f44509724b64938c85def9fb2e79f62ec8 of `discourse-microsoft-auth`. A `microsoft_auth:revoke` rake task has also been added which will deactivate and log out all users that have connected their accounts to Microsoft. • https://github.com/discourse/discourse-microsoft-auth/commit/c40665f44509724b64938c85def9fb2e79f62ec8 https://github.com/discourse/discourse-microsoft-auth/security/advisories/GHSA-2w32-w539-3m7r https://learn.microsoft.com/en-us/security/zero-trust/develop/identity-supported-account-types • CWE-863: Incorrect Authorization •