PT-2025-34001 · Unknown · Cozmoslabs Paid Member Subscriptions

Name of the Vulnerable Software and Affected Versions: Cozmoslabs Paid Member Subscriptions versions through 2.15.4 Description: The software contains an improper control of filename for include/require statements, leading to a PHP local file inclusion issue. Recommendations: Update Cozmoslabs Pa...

Unspecified Vulnerability in Mattermost Confluence Plugin (CNVD-2025-21461)

Mattermost Confluence Plugin is a plugin from Mattermost USA. Mattermost Confluence Plugin contains a security vulnerability that can be exploited by attackers to cause the creation of channel subscriptions...

Unspecified Vulnerability in Mattermost Confluence Plugin (CNVD-2025-21448)

Mattermost Confluence Plugin is a plugin from Mattermost USA. Mattermost Confluence Plugin contains a security vulnerability that can be exploited by attackers to cause the creation of channel subscriptions...

Unspecified Vulnerability in Mattermost Confluence Plugin (CNVD-2025-21453)

Mattermost Confluence Plugin is a plugin from Mattermost USA. Mattermost Confluence Plugin contains a security vulnerability that can be exploited by attackers to cause unauthorized channel subscriptions...

Malicious code in @frozen-team-qa/subscriptions-service (npm)

The package @frozen-team-qa/subscriptions-service was found to contain malicious code...

MAL-2025-7963 Malicious code in @frozen-team-qa/subscriptions-service (npm)

The package @frozen-team-qa/subscriptions-service was found to contain malicious code...

CVE-2025-44001

Mattermost Confluence Plugin version 1.5.0 fails to check the access of the user to the channel which allows attackers to get channel subscription details without proper access to the channel via API call to the Get Channel Subscriptions details endpoint...

CVE-2025-8285

Mattermost Confluence Plugin version 1.5.0 fails to check the access of the user to the channel which allows attackers to create channel subscription without proper access to the channel via API call to the create channel subscription endpoint...

CVE-2025-54458

Mattermost Confluence Plugin version 1.5.0 fails to check the access of the user to the Confluence space which allows attackers to create a subscription for a Confluence space the user does not have access to via the create subscription endpoint...

CVE-2025-48731

Mattermost Confluence Plugin version 1.5.0 fails to check the access of the user to the Confluence space which allows attackers to edit a subscription for a Confluence space the user does not have access for via edit subscription endpoint...

CVE-2025-54478

Mattermost Confluence Plugin version 1.5.0 fails to enforce authentication of the user to the Mattermost instance which allows unauthenticated attackers to edit channel subscriptions via API call to the edit channel subscription endpoint...

CVE-2025-53857

Mattermost Confluence Plugin version 1.5.0 fails to check the access of the user to the channel which allows attackers to get channel subscription details without proper access to the channel via API call to the GET autocomplete/GetChannelSubscriptions endpoint...

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to an API call to edit the channel subscription endpoint. An attacker can modify channel subscriptions by sending unauthorized API requests. Remediation Upgrade...

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to an API call to edit the channel subscription endpoint. An attacker can modify channel subscriptions by sending unauthorized API requests. Remediation Upgrade...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the handleGetChannelSubscription function. An attacker can create unauthorized channel subscriptions by making API calls without proper access checks. Remediation Upgrade...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the GET autocomplete/GetChannelSubscriptions endpoint. An attacker can retrieve channel subscription details by making unauthorized API calls. Remediation Upgrade...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the GET autocomplete/GetChannelSubscriptions endpoint. An attacker can retrieve channel subscription details by making unauthorized API calls. Remediation Upgrade...

Mattermost Confluence Plugin has Missing Authorization vulnerability

Mattermost Confluence Plugin versions 1.5.0 fail to check user access to the channel, allowing attackers to get channel subscription details without proper access to the channel via API call to the GET autocomplete/GetChannelSubscriptions endpoint...

Mattermost Confluence Plugin is Missing Authentication for Critical Function

Mattermost Confluence Plugin versions 1.5.0 fail to enforce user authentication of the Mattermost instance, allowing unauthenticated attackers to edit channel subscriptions via API call to the edit channel subscription endpoint...

GHSA-QPJQ-C5HR-7925 Mattermost Confluence Plugin is Missing Authentication for Critical Function

Mattermost Confluence Plugin versions 1.5.0 fail to enforce user authentication of the Mattermost instance, allowing unauthenticated attackers to edit channel subscriptions via API call to the edit channel subscription endpoint...