Security
Headlines

Headlines Latest CVEs

Headline

GHSA-9fpw-c9x7-cv3j: Mattermost allows remote actor to set arbitrary RemoteId values for synced users

Mattermost versions 9.9.x <= 9.9.0 and 9.5.x <= 9.5.6 fail to validate the source of sync messages and only allow the correct remote IDs, which allows a malicious remote to set arbitrary RemoteId values for synced users and therefore claim that a user was synced from another remote.

3 months ago

GitHub Advisory Database
GitHub Reviewed
CVE-2024-41926

Mattermost allows remote actor to set arbitrary RemoteId values for synced users

Low severity GitHub Reviewed Published Aug 1, 2024 to the GitHub Advisory Database • Updated Aug 2, 2024

Package

gomod github.com/mattermost/mattermost/server/v8 (Go)

Affected versions

>= 9.5.0, < 9.5.7

= 9.9.0

Patched versions

9.5.7

9.9.1

Published to the GitHub Advisory Database

Aug 1, 2024

ghsa: Latest News

GHSA-7p9f-6x8j-gxxp: CRI-O: Maliciously structured checkpoint file can gain arbitrary node access

4 hours ago

GHSA-hh33-46q4-hwm2: Re-creating a deleted user in lakeFS will re-enable previous user credentials that existed prior to its deletion

6 hours ago

GHSA-rmv2-8jjc-23xw: TCPDF Local File Inclusion vulnerability

7 hours ago

GHSA-w5rq-g9r6-vrcg: @dapperduckling/keycloak-connector-server has Reflected XSS Vulnerability in Authentication Flow URL Handling

9 hours ago

GHSA-q4xm-6fjc-5f6w: sigstore-java has vulnerability with bundle verification

9 hours ago