Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-6mx3-9qfh-77gj: Mattermost denial of service through long emoji value

Mattermost fails to properly validate the length of the emoji value in the custom user status, allowing an attacker to send multiple times a very long string as an emoji value causing high resource consumption and possibly crashing the server.

ghsa
Open in Source
#vulnerability#dos#git#perl
GHSA-fx48-xv6q-6gp3: Mattermost post fetching without auditing in compliance export

Mattermost fails to check if compliance export is enabled when fetching posts of public channels allowing a user that is not a member of the public channel to fetch the posts, which will not be audited in the compliance export. 

GHSA-xgxj-j98c-59rv: Mattermost fails to properly restrict the access of files attached to posts

Mattermost fails to properly restrict the access of files attached to posts in an archived channel, resulting in members being able to access files of archived channels even if the “Allow users to view archived channels” option is disabled.

GHSA-7v3v-984v-h74r: Mattermost leaks details of AD/LDAP groups of a teams

Mattermost fails to properly authorize the requests fetching team associated AD/LDAP groups, allowing a user to fetch details of AD/LDAP groups of a team that they are not a member of. 

GHSA-49w7-5r33-jm9m: http-swagger XSS via PUT requests

http-swagger before 1.2.6 allows XSS via PUT requests, because a file that has been uploaded (via httpSwagger.WrapHandler and *webdav.memFile) can subsequently be accessed via a GET request. NOTE: this is independently fixable with respect to CVE-2022-24863, because (if a solution continued to allow PUT requests) large files could have been blocked without blocking JavaScript, or JavaScript could have been blocked without blocking large files.

GHSA-75x2-6h4m-h6mx: FullStackHero's WebAPI Boilerplate host header injection vulnerability

A host header injection vulnerability in the forgot password function of FullStackHero's WebAPI Boilerplate v1.0.0 and v1.0.1 allows attackers to leak the password reset token via a crafted request.

GHSA-vr64-r9qj-h27f: Clojure Denial of Service vulnerability

An issue in Clojure versions 1.2.0 to 1.12.0-alpha5 allows an attacker to cause a denial of service (DoS) via the `clojure.core$partial$fn__5920` function.

GHSA-3hrr-xwvg-hxvr: Keycloak DoS via account lockout

A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from logging in.

GHSA-6qvw-249j-h44c: jose4j denial of service via specifically crafted JWE

The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.

GHSA-9xxv-q6pp-96wq: Concrete CMS Stored XSS

Concrete CMS before 9.2.3 allows Stored XSS on the Admin Dashboard via /dashboard/system/basics/name. (8.5 and earlier are unaffected.)