Communication and Collaboration

In Mattermost versions 10.0.x ≤ 10.0.0 and 9.11.x ≤ 9.11.2 a medium severity vulnerability, CVE-2024-52032, was detected. This vulnerability allows attackers to retrieve the names of private channels they are not a member of when using the channel switcher feature, provided Elasticsearch v8 is enabled. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-52032.

In Mattermost versions from 9.11.x prior to 9.11.1 and from 9.5.x prior to 9.5.9 a low severity vulnerability CVE-2024-10214 was detected. This vulnerability allows attackers to create two active sessions, increasing the chance of unauthorized access. To fix this issue, users should update Mattermost to versions 9.11.2, 9.5.10, or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-10214.

In Mattermost versions 9.10.0 to 9.10.2, 9.11.0 to 9.11.1, and 9.5.0 to 9.5.9 a medium severity vulnerability CVE-2024-50052 was found. This issue allows authenticated users to delete any post because the system fails to verify the message’s origin. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-50052.

In Mattermost versions 9.10.x ≤ 9.10.2, 9.11.x ≤ 9.11.1, and 9.5.x ≤ 9.5.9 a medium severity vulnerability CVE-2024-47401 was detected. This vulnerability allows attackers to generate large responses, resulting in an amplified GraphQL response that could cause the application to crash by sending a specially crafted request to Playbooks. To fix this issue, users must upgrade to version 8.0.0 or later, specifically the version released after 2024-09-26. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-47401.

In Mattermost versions 9.5.x up to 9.5.9 a medium severity vulnerability CVE-2024-10241 was detected. This vulnerability allows attackers to see the names of private channels they shouldn’t have access to using the cmd+K or ctrl+K shortcut. To fix this issue, users should update Mattermost to version to version 9.5.10 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-10241.

In BigBlueButton versions up to, and including, 3.0.0-beta.4 a medium severity vulnerability CVE-2023-7296 was detected. This vulnerability allows attackers with author privileges or higher to inject arbitrary web scripts through the moderator code and viewer code fields. If successful, these scripts execute when users perform specific actions, such as clicking on a malicious link. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2023/cve-2023-7296.

In Discourse version stable < 3.3.2, tests-passed < 3.4.0.beta2 a high severity vulnerability CVE-2024-47773 was detected. This vulnerability allows attackers to poison the cache with empty responses through repeated XHR requests, affecting anonymous visitors. It has been patched, and users should upgrade or disable the anonymous cache by setting DISCOURSE_DISABLE_ANON_CACHE. To fix this problem, users should upgrade to version stable >= 3.3.2, tests-passed >= 3.4.0.beta2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-47773.

In Rocket.Chat versions prior to 4.5.1 a medium severity vulnerability CVE-2024-42027 was detected. Rocket.Chat Mobile’s E2EE password has insufficient entropy, allowing attackers to crack it with enough time and resources. To fix this problem, users should upgrade to version 4.5.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-42027.

In Discourse versions before 2.9.0 a medium severity vulnerability CVE-2024-47772 was detected. This vulnerability allows attackers to run harmful JavaScript code in users’ browsers by sending a specially crafted chat message on Discourse sites with disabled security settings (CSP). To fix this issue, users should upgrade Discourse to version 2.9.0. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-47772.