3502 matches found
Mattermost vulnerable to Observable Timing Discrepancy
Mattermost Plugin MSTeams versions 2.1.0 and Mattermost Server versions 10.5.x =10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve the webhook secret of the MSTeams plugin via a timing attack...
CVE-2025-27936
Mattermost Plugin MSTeams versions 2.1.0 and Mattermost Server versions 10.5.x =10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve the webhook secret of the MSTeams plugin via a timing attack...
CVE-2025-27936
Mattermost Plugin MSTeams versions 2.1.0 and Mattermost Server versions 10.5.x =10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve the webhook secret of the MSTeams plugin via a timing attack...
CVE-2025-27936 Webhook Secret Exposure via Timing attack in MSteams plugin
Mattermost Plugin MSTeams versions 2.1.0 and Mattermost Server versions 10.5.x =10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve the webhook secret of the MSTeams plugin via a timing attack...
CVE-2025-27936
CVE-2025-27936 (Mattermost/MS Teams plugin timing attack) : The connected advisory GO-2025-3618 reports a vulnerability in the Mattermost ecosystem where the MSTeams plugin (github.com/mattermost/mattermost-plugin-msteams) and related Mattermost Server versions are susceptible to an observable ti...
CVE-2025-27936 Webhook Secret Exposure via Timing attack in MSteams plugin
Mattermost Plugin MSTeams versions 2.1.0 and Mattermost Server versions 10.5.x =10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve the webhook secret of the MSTeams plugin via a timing attack...
Mattermost Plugin MSTeams 安全漏洞
Mattermost Plugin MSTeams is a Mattermost plugin from Mattermost USA. A security vulnerability exists in Mattermost Plugin MSTeams versions prior to 2.1.0, which stems from a webhook key comparison that does not use a constant time algorithm, which could lead to a key disclosure...
PT-2025-16571 · Mattermost · Mattermost Server +1
Name of the Vulnerable Software and Affected Versions: Mattermost Plugin MSTeams versions prior to 2.1.0 Mattermost Server versions 10.5.x through 10.5.1 Description: The issue allows an attacker to retrieve the webhook secret of the MSTeams plugin via a timing attack during webhook secret...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via Service Call functionality. A user with sufficient privileges to create Kyverno policies can expose all data from a Kubernetes cluster using a malicious Kyverno policy that makes external service cal...
CVE-2025-32358
In Zammad 6.4.x before 6.4.2, SSRF can occur. Authenticated admin users can enable webhooks in Zammad, which are triggered as POST requests when certain conditions are met. If a webhook endpoint returned a redirect response, Zammad would follow it automatically with another GET request. This coul...
CVE-2025-32358
In Zammad 6.4.x before 6.4.2, SSRF can occur. Authenticated admin users can enable webhooks in Zammad, which are triggered as POST requests when certain conditions are met. If a webhook endpoint returned a redirect response, Zammad would follow it automatically with another GET request. This coul...
Malicious code in hyper-request (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 d6431cc277fd1d8f82ec5160b5943d5ee9ec08ca1a5c5ff9b1b45d67c233b1d2 The only functionality is to exfiltrated Roblox cookies. However, the current version does not contain the webhook url yet see reqhandler.py --- Category:...
MAL-2025-191763 Malicious code in hyper-request (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 d6431cc277fd1d8f82ec5160b5943d5ee9ec08ca1a5c5ff9b1b45d67c233b1d2 The only functionality is to exfiltrated Roblox cookies. However, the current version does not contain the webhook url yet see reqhandler.py --- Category:...
CVE-2025-32358
The CVE describes an SSRF flaw in Zammad 6.4.x prior to 6.4.2. Authenticated admin users can enable webhooks, which trigger POST requests; if a webhook endpoint replies with a redirect, Zammad follows it with an automatic GET, enabling potential access to internal resources (e.g., local network)....
CVE-2025-32358
In Zammad 6.4.x before 6.4.2, SSRF can occur. Authenticated admin users can enable webhooks in Zammad, which are triggered as POST requests when certain conditions are met. If a webhook endpoint returned a redirect response, Zammad would follow it automatically with another GET request. This coul...
Sensitive Information Disclosure
Directus is vulnerable to information disclosure. The vulnerability is due to improper error handling due to sensitive data being exposed in API responses when a ValidationError is triggered in flows using the "Webhook" trigger and "Data of Last Operation" response body...
Wordfence Intelligence Weekly WordPress Vulnerability Report (March 24, 2025 to March 30, 2025)
Did you know Wordfence runs aBug Bounty Program for all WordPress plugins and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability , for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we...
GHSA-FM3H-P9WM-H74H Directus's webhook trigger flows can leak sensitive data
Describe the Bug In Directus, when a Flow with the "Webhook" trigger and the "Data of Last Operation" response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes environmental variables, sensitive API keys, user...
Directus's webhook trigger flows can leak sensitive data
Describe the Bug In Directus, when a Flow with the "Webhook" trigger and the "Data of Last Operation" response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes environmental variables, sensitive API keys, user...
CVE-2025-30353 Directus's webhook trigger flows can leak sensitive data
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.5.0, when a Flow with the "Webhook" trigger and the "Data of Last Operation" response body encounters a ValidationError thrown by a failed condition operation, the A...