Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-9fpw-c9x7-cv3j: Mattermost allows remote actor to set arbitrary RemoteId values for synced users

Mattermost versions 9.9.x <= 9.9.0 and 9.5.x <= 9.5.6 fail to validate the source of sync messages and only allow the correct remote IDs, which allows a malicious remote to set arbitrary RemoteId values for synced users and therefore claim that a user was synced from another remote.

ghsa
#git
GHSA-cmc8-222c-vqp9: Mattermost failed to properly validate that the channel that comes from the sync message is a shared channel

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to properly validate that the channel that comes from the sync message is a shared channel, when shared channels are enabled, which allows a malicious remote to add users to arbitrary teams and channels

GHSA-jq3g-xqpx-37x3: Mattermost failed to properly validate synced reactions

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly validate synced reactions, when shared channels are enabled, which allows a malicious remote to create arbitrary reactions on arbitrary posts

GHSA-56mc-f9w7-2wxq: Mattermost failed to disallow the modification of local users when syncing users in shared channels

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow the modification of local users when syncing users in shared channels. which allows a malicious remote to overwrite an existing local user.

GHSA-r6qh-j42j-pw64: Beego privilege escalation vulnerability

An issue in beego v.2.2.0 and before allows a remote attacker to escalate privileges via the `sendMail` function located in the `beego/core/logs/smtp.go` file.

GHSA-wr3p-r5fj-wf97: Beego privilege escalation vulnerability

An issue in beego v.2.2.0 and before allows a remote attacker to escalate privileges via the `getCacheFileName` function in the `file.go` file.

GHSA-mpvx-whpp-99xj: Filestash skips TLS certificate verification process when sending out email verification codes

Default configurations in the ShareProofVerifier function of filestash v0.4 causes the application to skip the TLS certificate verification process when sending out email verification codes, possibly allowing attackers to access sensitive data via a man-in-the-middle attack.

GHSA-4jmm-c6jw-g796: Filestash configured to skip TLS certificate verification when using the FTPS protocol

filestash v0.4 is configured to skip TLS certificate verification when using the FTPS protocol, possibly allowing attackers to execute a man-in-the-middle attack via the Init function of index.go.

GHSA-p9w4-585h-g3c7: biscuit-auth vulnerable to public key confusion in third party block

Third-party blocks can be generated without transferring the whole token to the third-party authority. Instead, a `ThirdPartyBlock` request can be sent, providing only the necessary info to generate a third-party block and to sign it: - the public key of the previous block (used in the signature) - the public keys part of the token symbol table (for public key interning in datalog expressions) A third-part block request forged by a malicious user can trick the third-party authority into generating datalog trusting the wrong keypair. Consider the following example (nominal case) - Authority `A` emits the following token: `check if thirdparty("b") trusting ${pubkeyB}` - The well-behaving holder then generates a third-party block request based on the token and sends it to third-party authority `B` - Third-party `B` generates the following third-party block `thirdparty("b"); check if thirdparty("c") trusting ${pubkeyC}` - The token holder now must obtain a third-party block from third ...

GHSA-258h-f687-4226: PheonixAppAPI has visible Encoding Maps

### Impact The issue is that the map of encoding/decoding languages are visible in code. ### Patches The problem was patched in 0.2.4. ### Workarounds The only known workaround is apply the fix to the code manually.