1115 matches found
CVE-2025-49088
Pexip Infinity 32.0 through 37.1 before 37.2, in certain configurations of OTJ One Touch Join for Teams SIP Guest Join, has Improper Input Validation in the OTJ service, allowing a remote attacker to trigger a software abort via a crafted calendar invite, leading to a denial of service...
CVE-2025-49088
Pexip Infinity 32.0 through 37.1 before 37.2, in certain configurations of OTJ One Touch Join for Teams SIP Guest Join, has Improper Input Validation in the OTJ service, allowing a remote attacker to trigger a software abort via a crafted calendar invite, leading to a denial of service...
CVE-2025-49088
Pexip Infinity 32.0 through 37.1 before 37.2, in certain configurations of OTJ One Touch Join for Teams SIP Guest Join, has Improper Input Validation in the OTJ service, allowing a remote attacker to trigger a software abort via a crafted calendar invite, leading to a denial of service...
CVE-2025-49088
Pexip Infinity versions 32.0–37.1 (before 37.2) are affected by improper input validation in the OTJ (One Touch Join) service when configuring Teams SIP Guest Join. A remote attacker can trigger a denial of service by sending a crafted calendar invite, leading to a software abort. Red Hat and EUV...
CVE-2025-68667
Conduit is a chat server powered by Matrix. A vulnerability that affects a number of Conduit-derived homeservers allows a remote, unauthenticated attacker to force the target server to cryptographically sign arbitrary membership events. Affected products include Conduit prior to version 0.10.10,...
CVE-2025-68667 Conduit-derived homeservers are affected by a Confused Deputy and Improper Input Validation issue
Conduit is a chat server powered by Matrix. A vulnerability that affects a number of Conduit-derived homeservers allows a remote, unauthenticated attacker to force the target server to cryptographically sign arbitrary membership events. Affected products include Conduit prior to version 0.10.10,...
PT-2025-52860
Name of the Vulnerable Software and Affected Versions continuwuity versions prior to 0.5.0 Description A remote, unauthenticated attacker can force the target server to cryptographically sign arbitrary membership events. This occurs because the server does not validate the origin of a signing...
CVE-2025-13324
Mattermost versions 10.11.x = 10.11.5, 11.0.x = 11.0.4, 10.12.x = 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy version 1 protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to...
EUVD-2025-203920
Mattermost versions 10.11.x = 10.11.5, 11.0.x = 11.0.4, 10.12.x = 10.12.2 fail to invalidate invite tokens after use which allows malicious actors who have intercepted invite tokens to manipulate channel memberships including adding or removing users from private channels via token replay attack...
GHSA-X3R8-2HMH-89F5 Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation
Mattermost versions 10.11.x 10.11.5, 11.0.x 11.0.4, 10.12.x 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy version 1 protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to authenticate a...
Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation
Mattermost versions 10.11.x 10.11.5, 11.0.x 11.0.4, 10.12.x 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy version 1 protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to authenticate a...
CVE-2025-13324
Mattermost versions 10.11.x = 10.11.5, 11.0.x = 11.0.4, 10.12.x = 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy version 1 protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to...
CVE-2025-13324
Mattermost versions 10.11.x = 10.11.5, 11.0.x = 11.0.4, 10.12.x = 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy version 1 protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization involving invite tokens. An attacker can manipulate channel memberships, including adding or removing users from private channels, by replaying intercepted tokens. Remediation Upgrade...
CVE-2025-13324 Lack of Invalidation of Legacy Remote Cluster Invite Tokens After Confirmation
Mattermost versions 10.11.x = 10.11.5, 11.0.x = 11.0.4, 10.12.x = 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy version 1 protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to...
CVE-2025-13324 Lack of Invalidation of Legacy Remote Cluster Invite Tokens After Confirmation
Mattermost versions 10.11.x = 10.11.5, 11.0.x = 11.0.4, 10.12.x = 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy version 1 protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to...
CVE-2025-13324
CVE-2025-13324 affects Mattermost server versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, and 10.12.x
Improper Authorization
github.com/mattermost/mattermost-server is vulnerable to Improper Authorization. The vulnerability is due to failure to verify whether a user has permission to join a Mattermost team when processing the original invite token, which allows an attacker to manipulate the RelayState parameter and joi...
SUSE CVE-2017-18902
An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints...
PT-2025-51854
Mattermost versions 10.11.x = 10.11.5, 11.0.x = 11.0.4, 10.12.x = 10.12.2 fail to invalidate invite tokens after use which allows malicious actors who have intercepted invite tokens to manipulate channel memberships including adding or removing users from private channels via token replay attack...