8 matches found
Improper Access Control
github.com/mattermost/mattermost-server is vulnerable to Improper Access Control. The vulnerability is due to the createPost function not preventing users from specifying a RemoteId for their posts, allowing attackers to create posts with user-defined post IDs. Attackers can use this to cause...
CVE-2024-6428
CVE-2024-6428 affects Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2, 9.5.x
CVE-2024-6428 Limited DoS due to permitting creating users with user-defined IDs
Mattermost versions 9.8.0, 9.7.x = 9.7.4, 9.6.x = 9.6.2, 9.5.x = 9.5.5 fail to prevent specifying a RemoteId when creating a new user which allows an attacker to specify both a remoteId and the user ID, resulting in creating a user with a user-defined user ID. This can cause some broken...
CVE-2024-39361 Creating posts with user-defined IDs permitted in CreatePost API
Mattermost versions 9.8.0, 9.7.x = 9.7.4, 9.6.x = 9.6.2 and 9.5.x = 9.5.5 fail to prevent users from specifying a RemoteId for their posts which allows an attacker to specify both a remoteId and the post ID, resulting in creating a post with a user-defined post ID. This can cause some broken...
CVE-2024-39361
CVE-2024-39361 affects Mattermost 9.8.0, 9.7.x up to 9.7.4, 9.6.x up to 9.6.2, and 9.5.x up to 9.5.5. The issue is that the CreatePost API does not prevent users from supplying a RemoteId for posts, allowing an attacker to specify both a remoteId and the post ID and thereby create posts with user...
GHSA-3783-62VC-JR7X ConsoleMe has an Arbitrary File Read Vulnerability via Limited Git command
ID: NFLX-2024-002 Impact Authenticated users can achieve limited RCE in ConsoleMe, restricted to flag inputs on a single CLI command. Due to this constraint, it is not currently known whether full RCE is possible but it is unlikely. However, a specific flag allows authenticated users to read any...
Bime: Bime Unable to load Data Sources
The BIME unable to load the datasource, when user has created larger number of data source , and as a result it's throws error poppup and the enduser can't do any thing, the entire PAGE got broken, can't delete any datasources which leads entire BIME functionality broken This is Error Popup Messa...
Chrome privilege escalation due to incorrectly cached wrapper — Mozilla
Mozilla add-on developer and community member Wladimir Palant reported broken functionality on pages that had a Link: HTTP header when an add-on was installed which implemented a Content Policy in JavaScript, such as AdBlock Plus or NoScript. Mozilla security researcher mozbugra4 demonstrated tha...