7 Steps for Securing Generative AI in Enterprises

Think of your AI strategy like building a skyscraper. You wouldn't construct twenty floors and then try to figure out where the foundation should go. Security must be part of the blueprint from the very beginning. Bolting on security measures after an AI model is already in use is a recipe for...

CVE-2025-55070

Mattermost versions 11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events...

Memos' Access Tokens Stay Valid after User Password Change

Summary Access Tokens are used to authenticate application access. When a user changes their password, the existing list of Access Tokens stay valid instead of expiring. If a user finds that their account has been compromised, they can update their password. The bad actor though will still have...

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication via the checkAutoLinking function, when auto-linking was enabled for an IdP, there was no verification to ensure that linking to the identified user was permitted.. An attacker can gain unauthorized access to an...

CVE-2025-8855

Optimus Software Brokerage Automation before version 1.1.71 is affected by multiple auth-related issues: Authorization Bypass Through User-Controlled Key, Weak Password Recovery Mechanism for Forgotten Password, and Authentication Bypass by Assumed-Immutable Data. These flaws enable exploitation ...

CVE-2025-8855 2FA Expiry Bypass in Optimus Software's Brokerage Automation

Authorization Bypass Through User-Controlled Key, Weak Password Recovery Mechanism for Forgotten Password, Authentication Bypass by Assumed-Immutable Data vulnerability in Optimus Software Brokerage Automation allows Exploiting Trust in Client, Authentication Bypass, Manipulate Registry...

CVE-2025-8855 2FA Expiry Bypass in Optimus Software's Brokerage Automation

Authorization Bypass Through User-Controlled Key, Weak Password Recovery Mechanism for Forgotten Password, Authentication Bypass by Assumed-Immutable Data vulnerability in Optimus Software Brokerage Automation allows Exploiting Trust in Client, Authentication Bypass, Manipulate Registry...

EUVD-2025-197607

Mattermost versions 10.11.x = 10.11.3, 10.5.x = 10.5.11, 10.12.x = 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/userid/email/verify/member endpoint...

GHSA-MQP8-PGG5-7X7M Mattermost allows system administrators to access password hashes and MFA secrets

Mattermost versions 10.11.x = 10.11.3, 10.5.x = 10.5.11, 10.12.x = 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/userid/email/verify/member endpoint...

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the POST /api/v4/users/userid/email/verify/member endpoint. An attacker can obtain sensitive information, such as password hashes and MFA secrets, by sending crafted requests to this endpoint. Remediation Upgrad...

CVE-2025-11794

Mattermost versions 10.11.x = 10.11.3, 10.5.x = 10.5.11, 10.12.x = 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/userid/email/verify/member endpoint...

CVE-2025-11794

Mattermost versions 10.11.x = 10.11.3, 10.5.x = 10.5.11, 10.12.x = 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/userid/email/verify/member endpoint...

CVE-2025-11794 Password hash and MFA secret returned in user email verification endpoint

Mattermost versions 10.11.x = 10.11.3, 10.5.x = 10.5.11, 10.12.x = 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/userid/email/verify/member endpoint...

Mattermost does not enforce MFA on WebSocket connections

Mattermost versions 11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events...

CVE-2025-55070

Mattermost versions 11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events...

CVE-2025-55070 Lack of MFA enforcement in WebSocket connections

Mattermost versions 11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events...

CVE-2025-55070

CVE-2025-55070 affects Mattermost Server versions

Unspecified Vulnerability in Rockwell Automation DataMosaix Private Cloud

Rockwell Automation DataMosaix Private Cloud is an industrial DataOps solution from Rockwell Automation, Inc. It is used to simplify and control access to relevant, reliable and contextualized data. A security vulnerability exists in Rockwell Automation DataMosaix Private Cloud that can be...

PT-2025-46949

Name of the Vulnerable Software and Affected Versions Mattermost versions 10.5.x through 10.5.11 Mattermost versions 10.11.x through 10.11.3 Mattermost versions 10.12.x through 10.12.0 Description The software does not properly sanitize user data, potentially allowing system administrators to...

Mattermost 安全漏洞

Mattermost is an open source collaboration platform from Mattermost, Inc. in the United States. A security vulnerability exists in versions prior to Mattermost 11 that stems from a WebSocket connection that does not enforce multi-factor authentication, which could result in an unauthenticated use...