CVE-2023-46241 – Potential account take over due to unverified emails from Microsoft Identity Platform

https://notcve.org/view.php?id=CVE-2023-46241

`discourse-microsoft-auth` is a plugin that enables authentication via Microsoft. On sites with the `discourse-microsoft-auth` plugin enabled, an attack can potentially take control of a victim's Discourse account. Sites that have configured their application's account type to any options other than `Accounts in this organizational directory only (O365 only - Single tenant)` are vulnerable. This vulnerability has been patched in commit c40665f44509724b64938c85def9fb2e79f62ec8 of `discourse-microsoft-auth`. A `microsoft_auth:revoke` rake task has also been added which will deactivate and log out all users that have connected their accounts to Microsoft. • https://github.com/discourse/discourse-microsoft-auth/commit/c40665f44509724b64938c85def9fb2e79f62ec8 https://github.com/discourse/discourse-microsoft-auth/security/advisories/GHSA-2w32-w539-3m7r https://learn.microsoft.com/en-us/security/zero-trust/develop/identity-supported-account-types • CWE-863: Incorrect Authorization •