ghsa

Mattermost fails to properly restrict the access of files attached to posts in an archived channel, resulting in members being able to access files of archived channels even if the “Allow users to view archived channels” option is disabled.

Mattermost fails to properly authorize the requests fetching team associated AD/LDAP groups, allowing a user to fetch details of AD/LDAP groups of a team that they are not a member of. 

http-swagger before 1.2.6 allows XSS via PUT requests, because a file that has been uploaded (via httpSwagger.WrapHandler and *webdav.memFile) can subsequently be accessed via a GET request. NOTE: this is independently fixable with respect to CVE-2022-24863, because (if a solution continued to allow PUT requests) large files could have been blocked without blocking JavaScript, or JavaScript could have been blocked without blocking large files.

An issue in Clojure versions 1.2.0 to 1.12.0-alpha5 allows an attacker to cause a denial of service (DoS) via the `clojure.core$partial$fn__5920` function.

A host header injection vulnerability in the forgot password function of FullStackHero's WebAPI Boilerplate v1.0.0 and v1.0.1 allows attackers to leak the password reset token via a crafted request.

A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from logging in.

The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.

Concrete CMS before 8.5.14 and 9 before 9.2.3 allows Cross Site Request Forgery (CSRF) via ccm/calendar/dialogs/event/delete/submit. An attacker can force an admin to delete events on the site because the event ID is numeric and sequential.

Concrete CMS 9 before 9.2.3 is vulnerable to Cross Site Request Forgery (CSRF) at /ccm/system/dialogs/file/delete/1/submit.

Concrete CMS before 9.2.3 allows Stored XSS on the Admin Dashboard via /dashboard/system/basics/name. (8.5 and earlier are unaffected.)