GHSA-J76W-P754-G2W7 Mattermost doesn't validate the response body of proxied images

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to validate the response body of proxied images, which allows a remote attacker to enact client-side DoS via an SVG file served from an attacker-controlled origin under a non-SVG Content-Type header e.g. image/png...

GHSA-RQ77-P4H8-4CRW gorilla/csrf CSRF vulnerability due to broken Referer validation

Summary gorilla/csrf is vulnerable to CSRF via form submission from origins that share a top level domain with the target origin. Details gorilla/csrf does not validate the Origin header against an allowlist. Its executes its validation of the Referer header for cross-origin requests only when it...

AZL-6487 CVE-2021-40438 affecting package httpd for versions less than 2.4.52-1

A crafted request uri-path can cause modproxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier...