Security
Headlines
HeadlinesLatestCVEs

Tag

#git

GHSA-fx48-xv6q-6gp3: Mattermost post fetching without auditing in compliance export

Mattermost fails to check if compliance export is enabled when fetching posts of public channels allowing a user that is not a member of the public channel to fetch the posts, which will not be audited in the compliance export. 

ghsa
Open in Source
#vulnerability#git
GHSA-xgxj-j98c-59rv: Mattermost fails to properly restrict the access of files attached to posts

Mattermost fails to properly restrict the access of files attached to posts in an archived channel, resulting in members being able to access files of archived channels even if the “Allow users to view archived channels” option is disabled.

GHSA-7v3v-984v-h74r: Mattermost leaks details of AD/LDAP groups of a teams

Mattermost fails to properly authorize the requests fetching team associated AD/LDAP groups, allowing a user to fetch details of AD/LDAP groups of a team that they are not a member of. 

GHSA-49w7-5r33-jm9m: http-swagger XSS via PUT requests

http-swagger before 1.2.6 allows XSS via PUT requests, because a file that has been uploaded (via httpSwagger.WrapHandler and *webdav.memFile) can subsequently be accessed via a GET request. NOTE: this is independently fixable with respect to CVE-2022-24863, because (if a solution continued to allow PUT requests) large files could have been blocked without blocking JavaScript, or JavaScript could have been blocked without blocking large files.

GHSA-vr64-r9qj-h27f: Clojure Denial of Service vulnerability

An issue in Clojure versions 1.2.0 to 1.12.0-alpha5 allows an attacker to cause a denial of service (DoS) via the `clojure.core$partial$fn__5920` function.

GHSA-75x2-6h4m-h6mx: FullStackHero's WebAPI Boilerplate host header injection vulnerability

A host header injection vulnerability in the forgot password function of FullStackHero's WebAPI Boilerplate v1.0.0 and v1.0.1 allows attackers to leak the password reset token via a crafted request.

GHSA-3hrr-xwvg-hxvr: Keycloak DoS via account lockout

A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from logging in.

GHSA-6qvw-249j-h44c: jose4j denial of service via specifically crafted JWE

The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.

GHSA-3rxx-8f33-7p6p: Concrete CMS Cross Site Request Forgery (CSRF) vulnerability

Concrete CMS before 8.5.14 and 9 before 9.2.3 allows Cross Site Request Forgery (CSRF) via ccm/calendar/dialogs/event/delete/submit. An attacker can force an admin to delete events on the site because the event ID is numeric and sequential.

GHSA-45m2-8q7f-93wv: Concrete CMS Cross Site Request Forgery (CSRF) vulnerability

Concrete CMS 9 before 9.2.3 is vulnerable to Cross Site Request Forgery (CSRF) at /ccm/system/dialogs/file/delete/1/submit.