Discourse Plugin Vulnerability Affects Microsoft Authentication
CVE-2023-46241

8.1HIGH

Key Information:

Vendor
Discourse
Status
Discourse-microsoft-auth
Vendor
CVE Published:
21 February 2024

Summary

The discourse-microsoft-auth plugin, designed for Microsoft-based user authentication on Discourse platforms, contains a vulnerability that may expose user accounts to unauthorized control. This issue arises when sites are configured with account types beyond Accounts in this organizational directory only (O365 only - Single tenant). Attackers may exploit this configuration to manipulate user accounts, potentially compromising sensitive information. Affected sites are advised to apply the patch available in commit c40665f44509724b64938c85def9fb2e79f62ec8, which includes a new microsoft_auth:revoke rake task. This task not only logs out affected users but also revokes their API keys and disconnects their accounts from Microsoft. Administrators can temporarily mitigate risk by disabling the plugin until the patch is fully implemented.

Affected Version(s)

discourse-microsoft-auth < c40665f44509724b64938c85def9fb2e79f62ec8

References

https://github.com/discourse/discourse-microsoft-auth/sec...
x_refsource_CONFIRM
https://github.com/discourse/discourse-microsoft-auth/com...
x_refsource_MISC
https://learn.microsoft.com/en-us/security/zero-trust/dev...
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.