A critical vulnerability, CVE-2023-46241, has been identified in the ‘discourse-microsoft-auth’ plugin, a crucial component enabling Microsoft authentication on Discourse sites. The vulnerability exposes a potential risk where attackers can seize control of Discourse accounts on sites utilizing this plugin, specifically those configured with account types other than ‘Accounts in this organizational directory only (O365 only – Single tenant)’. The issue has been successfully addressed in the commit c40665f44509724b64938c85def9fb2e79f62ec8 of ‘discourse-microsoft-auth’.
To mitigate the threat, a ‘microsoft_auth:revoke’ rake task has been introduced. This task not only deactivates and logs out users connected to Microsoft but also revokes user API keys and related API keys. Connection records to Microsoft for affected users are also removed, enabling them to re-verify their account emails and reconnect their Discourse accounts for authentication. A temporary workaround involves disabling the ‘discourse-microsoft-auth’ plugin by setting the ‘microsoft_auth_enabled’ site setting to ‘false’ and executing the ‘microsoft_auth:log_out_users’ rake task to log out users with associated Microsoft accounts.