SUSE CVE-2018-21258

An issue was discovered in Mattermost Server before 5.1. It allows attackers to cause a denial of service via the invitepeople slash command...

GO-2025-4185 Mattermost Server exposes team invite IDs through API endpoints in github.com/mattermost/mattermost-server

Mattermost Server exposes team invite IDs through API endpoints in github.com/mattermost/mattermost-server...

Improper Access Control

github.com/mattermost/mattermost-server is vulnerable to improper access control. The vulnerability is due to Mattermost failing to verify whether a user has permission to join a team when using the original invite token, which allows an attacker to manipulate the OAuth state and join any team on...

CVE-2025-58386

In Terminalfour 8 through 8.4.1.1, the userLevel parameter in the user management function is not subject to proper server-side authorization checks. A Power User can intercept and modify this parameter to assign the Administrator role to other existing lower-privileged accounts, or invite a new...

CVE-2025-66223 OpenObserve's Invite Token Lifecycle Misconfiguration

OpenObserve is a cloud-native observability platform. Prior to version 0.16.0, organization invitation tokens do not expire once issued, remain valid even after the invited user is removed from the organization, and allow multiple invitations to the same email with different roles where all issue...

CVE-2025-66223 OpenObserve's Invite Token Lifecycle Misconfiguration

OpenObserve is a cloud-native observability platform. Prior to version 0.16.0, organization invitation tokens do not expire once issued, remain valid even after the invited user is removed from the organization, and allow multiple invitations to the same email with different roles where all issue...

CVE-2025-66223

OpenObserve (cloud-native observability platform) before v0.16.0 is affected by an access-control issue in the invitation token lifecycle. Tokens did not expire, remained valid after a user was removed, and allowed multiple invitations to the same email with different roles—resulting in a removed...

CVE-2025-66223 OpenObserve's Invite Token Lifecycle Misconfiguration

OpenObserve is a cloud-native observability platform. Prior to version 0.16.0, organization invitation tokens do not expire once issued, remain valid even after the invited user is removed from the organization, and allow multiple invitations to the same email with different roles where all issue...

EUVD-2025-199752

Insecure Direct Object Reference IDOR in classroomio 0.1.13 allows unauthorized share and invite access to course settings...

Microsoft Teams Flaw in Guest Chat Exposes Users to Malware Attacks

New research from Ontinue exposes a major security flaw in Microsoft Teams B2B Guest Access. Learn how attackers bypass all Defender for Office 365 protections with a single invite...

PT-2025-48174

Insecure Direct Object Reference IDOR in classroomio 0.1.13 allows unauthorized share and invite access to course settings...

CVE-2025-65672

CVE-2025-65672 concerns an insecure direct object reference (IDOR) in ClassroomIO 0.1.13, enabling unauthorized sharing and inviting access to course settings. Connected sources consistently describe the root cause as broken access control with IDOR, allowing a student‑level user to manipulate co...

CVE-2025-65672

Insecure Direct Object Reference IDOR in classroomio 0.1.13 allows unauthorized share and invite access to course settings...

GO-2025-4146 Mattermost Server is vulnerable to a Denial of Service attack through `invite_people` command in github.com/mattermost/mattermost-server

Mattermost Server is vulnerable to a Denial of Service attack through invitepeople command in github.com/mattermost/mattermost-server...

CVE-2025-54320

In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the invite user function, leading to an email bombing vulnerability. An authenticated attacker can exploit this by automating invite requests...

EUVD-2025-198072

In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the invite user function, leading to an email bombing vulnerability. An authenticated attacker can exploit this by automating invite requests...

CVE-2025-54320

In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the invite user function, leading to an email bombing vulnerability. An authenticated attacker can exploit this by automating invite requests...

CVE-2025-54320

In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the invite user function, leading to an email bombing vulnerability. An authenticated attacker can exploit this by automating invite requests...

CVE-2025-54320

In Ascertia SigningHub up to version 8.6.8, the Invite Users function lacks rate limiting, enabling an authenticated attacker to automate invites and trigger an email bombing scenario. Affected software: Ascertia SigningHub (versions through 8.6.8). Underlying issue: insufficient throttling on th...

CVE-2025-54320

In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the invite user function, leading to an email bombing vulnerability. An authenticated attacker can exploit this by automating invite requests...