In Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, and 9.5.x <= 9.5.12 a medium severity vulnerability CVE-2024-54083 was detected. This vulnerability allows attackers to cause a client-side denial of service (DoS) to users of particular channels by sending specially crafted posts. To address this issue, users should upgrade Mattermost to version 10.1.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-54083.
Read more CommunicationIn Discourse instances configured to use `FileStore::LocalStore` versions stable 3.3.2 and prior; beta 3.4.0.beta3 and prior; tests-passed 3.4.0.beta3 and prior a high severity vulnerability CVE-2024-53991 was detected. This vulnerability allows attackers to access Discourse backup files if they know the file name by crafting specific requests to nginx. To address this issue, users should upgrade to the stable 3.3.3 or above; beta 3.4.0.beta4 or above, or tests-passed 3.4.0.beta4 or above versions. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-53991.
Read more CommunicationIn Discourse versions stable 3.3.2 and prior; beta 3.4.0.beta3 and prior; tests-passed 3.4.0.beta3 and prior a medium severity vulnerability CVE-2024-52794 was detected. This vulnerability allows attackers to target users clicking on lightbox thumbnails. To address this issue, users must upgrade Discourse to the stable 3.3.3 or above; beta 3.4.0.beta4 or above; tests-passed 3.4.0.beta4 or above versions. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-52794.
Read more CommunicationIn Discourse versions stable 3.3.2 and prior; beta 3.4.0.beta3 and prior; tests-passed 3.4.0.beta3 and prior a low severity vulnerability CVE-2024-52589 was detected. This vulnerability allows moderators to view user email addresses through the Screened Emails list in the admin dashboard. To address this issue, users should upgrade Discourse to the stable 3.3.3 or above; beta 3.4.0.beta4 or above; tests-passed 3.4.0.beta4 or above versions. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-52589.
Read more CommunicationIn Discourse versions stable 3.3.2 and prior; beta 3.4.0.beta3 and prior; tests-passed 3.4.0.beta3 and prior a medium severity vulnerability CVE-2024-49765 was detected. This vulnerability allows attackers to bypass Discourse Connect and create accounts or log in if local login methods are still enabled. To address this issue, users should upgrade Discourse to the stable 3.3.3 or above; beta 3.4.0.beta4 or above; tests-passed 3.4.0.beta4 or above versions. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-49765.
Read more CommunicationIn Mattermost versions 10.1.x up to10.1.2, 10.0.x up to10.0.2, 9.11.x up to 9.11.4, and 9.5.x up to 9.5.12 a medium severity vulnerability CVE-2024-48872 was detected. This vulnerability allows attackers to bypass the “Max failed attempts” restriction by sending a large number of simultaneous login requests, enabling multiple login attempts before being blocked. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-48872.
Read more CommunicationIn Mattermost Android Mobile Apps versions 2.21.0 and prior a medium severity vulnerability CVE-2024-11358 was detected. This vulnerability allows attackers with local access to access files via file providers. To address this issue, users should upgrade to version 2.22.0. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-11358.
Read more CommunicationIn Mattermost versions 10.1.x up to 10.1.2, 10.0.x up to 10.0.2, 9.11.x up to 9.11.4, and 9.5.x up to 9.5.12 a medium severity vulnerability CVE-2024-54682 was detected. This vulnerability allows attackers to upload specially crafted files (zip bombs) that can overload and crash the system, causing it to stop working properly. To fix this issue, users should upgrade Mattermost to versions 10.1.3, 10.0.3, 9.11.5, and 9.5.13. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-54682.
Read more CommunicationIn Mattermost versions 9.7.x up to 9.7.5, 9.8.x up to 9.8.2, and 9.9.x up to 9.9.2 a medium severity vulnerability CVE-2024-12247 was detected. This vulnerability allows users keep old permissions even when permission updates are made, as the updates don’t apply across all cluster nodes. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-12247.
Read more Communication