BIT-MATTERMOST-2024-29221

Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the /api/v4/users/me/teams endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users,...

Cisco IP Phone Improper Restriction of Operations within the Bounds of a Memory Buffer (CVE-2007-5583)

Cisco IP Phone 7940 with firmware P0S3-08-7-00 allows remote attackers to cause a denial of service 486 Busy responses or device reboot via a sequence of SIP INVITE transactions in which the Request-URI lacks a user name, a different vulnerability than CVE-2007-4459. This plugin only works with...

GHSA-F3R3-H2MQ-HX2H Synapse allows a a malformed invite to break the invitee's `/sync`

Impact Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync functionality. Patches Synapse 1.120.1 rejects such invalid invites received ov...

Improper Input Validation

Overview matrix-synapse is an ecosystem for open federated Instant Messaging and VoIP. Affected versions of this package are vulnerable to Improper Input Validation via invite messages. An attacker can disrupt the /sync functionality by sending a specially crafted invite over federation. Workarou...

DEBIAN-CVE-2024-52815

Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync functionality. Synapse 1.120.1 rejects su...

CVE-2024-52815

Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync functionality. Synapse 1.120.1 rejects su...

CVE-2024-52815 Synapse allows a a malformed invite to break the invitee's `/sync`

Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync functionality. Synapse 1.120.1 rejects su...

CVE-2024-52815

CVE-2024-52815 affects the Synapse project (open-source Matrix homeserver). Versions before 1.120.1 fail to properly validate invites received over federation, allowing a malicious server to send a specially crafted invite that disrupts the invited user’s /sync functionality. The issue is mitigat...

CVE-2024-52815 Synapse allows a a malformed invite to break the invitee's `/sync`

Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync functionality. Synapse 1.120.1 rejects su...

CVE-2024-52815

Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync functionality. Synapse 1.120.1 rejects su...

CVE-2024-52815 Synapse allows a a malformed invite to break the invitee's `/sync`

Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync functionality. Synapse 1.120.1 rejects su...

CVE-2024-52008

Fides is an open-source privacy engineering platform. The user invite acceptance API endpoint lacks server-side password policy enforcement, allowing users to set arbitrarily weak passwords by bypassing client-side validation. While the UI enforces password complexity requirements, direct API cal...

CVE-2024-52008

Fides (open-source privacy engineering platform) has a password policy bypass in its invite flow. The /api/v1/user/accept-invite endpoint does not enforce the server-side password policy, allowing an invited user to set an arbitrarily weak password during initial account setup despite UI client-s...

CVE-2024-52008 Password Policy Bypass Vulnerability in Fides Webserver

Fides is an open-source privacy engineering platform. The user invite acceptance API endpoint lacks server-side password policy enforcement, allowing users to set arbitrarily weak passwords by bypassing client-side validation. While the UI enforces password complexity requirements, direct API cal...

GHSA-V7VM-RHMG-8J2R Password Policy Bypass Vulnerability in Fides Webserver User Accept Invite API

Summary The user invite acceptance API endpoint lacks server-side password policy enforcement, allowing users to set arbitrarily weak passwords by bypassing client-side validation. While the UI enforces password complexity requirements, direct API calls can circumvent these checks, enabling the...

PT-2024-35092 · Fides · Fides

Name of the Vulnerable Software and Affected Versions: Fides versions prior to 2.50.0 Description: The user invite acceptance API endpoint /api/v1/user/accept-invite lacks server-side password policy enforcement, allowing users to set arbitrarily weak passwords by bypassing client-side validation...

Flagsmith 安全漏洞

Flagsmith is an open source, full-featured feature flagging and remote configuration service from Flagsmith Open Source. A security vulnerability exists in Flagsmith versions prior to 2.134.1 that stems from the ability to bypass the ALLOWREGISTRATIONWITHOUTINVITE setting...

PT-2024-35471 · Flagsmith · Flagsmith

Name of the Vulnerable Software and Affected Versions: Flagsmith versions prior to 2.134.1 Description: The issue allows bypassing the ALLOW REGISTRATION WITHOUT INVITE setting. Recommendations: For versions prior to 2.134.1, update to version 2.134.1 or later to resolve the issue...

Unauthorized Invite Deletion

github.com/grafana/grafana is vulnerable to unauthorized invite deletion. The vulnerability is due to insufficient access control validation in the system, where organization admins are not properly restricted to actions only within the organization they belong to. It allows admins to delete...

Key Injection

matrix-react-sdk is vulnerable to Key Injection. The vulnerability is due to the SDK sharing historical message keys on invite, allowing a malicious homeserver to inject a malicious device and steal message keys when a user invites another user to a room...