Communication and Collaboration

In Discourse stable versions up to and including 3.3.1, beta versions up to and including 3.4.0.beta1, and tests-passed versions up to and including 3.4.0.beta1 a medium severity vulnerability CVE-2024-45051 was detected. This vulnerability allows attackers to use a maliciously crafted email address to bypass domain-based restrictions, potentially granting them unauthorized access to private sites, categories, and groups within Discourse. To fix this issue, users should upgrade Discourse to stable versions 3.3.2 and higher, beta versions 3.4.0.beta2 and higher, and tests-passed versions 3.4.0.beta2 and higher. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-45051.

In Discourse stable versions prior to 3.3.1 and tests-passed versions prior to 3.4.0.beta1 a medium severity vulnerability CVE-2024-43789 was detected. This vulnerability allows attackers to overload the Discourse system by creating a post with many replies and fetching them all at once. To fix this issue, users should upgrade Discourse to stable versions 3.3.1 and higher and tests-passed versions 3.4.0.beta1 and higher. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-43789.

In Mastodon versions prior to 4.1.16 and prior to 4.2.8 a medium severity vulnerability CVE-2024-34535 was detected. This vulnerability allows attackers to bypass API endpoint rate limiting by sending a specially crafted HTTP request header. To fix this issue, users should upgrade Mastodon to versions 4.1.17 or 4.2.9. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-34535.

In Discourse versions before 2.9.0 a medium severity vulnerability CVE-2024-47772 was detected. This vulnerability allows attackers to run harmful JavaScript code in users’ browsers by sending a specially crafted chat message on Discourse sites with disabled security settings (CSP). To fix this issue, users should upgrade Discourse to version 2.9.0. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-47772.

In Mattermost versions 9.5.x up to and including 9.5.8 a medium severity vulnerability CVE-2024-45843 was detected. This vulnerability allows attackers to exploit the lack of SSRF denylist entries for Oracle Cloud and Alibaba in Mattermost, potentially leading to unauthorized access to internal services or data. To fix this issue, users should upgrade Mattermost to versions 9.11.0 or 9.5.9. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-45843.

In Mattermost versions up to 9.5.x <= 9.5.8 a low severity vulnerability CVE-2024-47145 was detected. This vulnerability allows attackers to view posts and files from archived channels via file links, even when access to archived channels is disabled. To fix this problem, users should upgrade to version 9.11.0 and 9.5.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-47145.

In Mattermost versions 9.11.x <= 9.11.0 and 9.5.x <= 9.5.8 a low severity vulnerability CVE-2024-47003 was detected. This vulnerability allows attackers to crash the frontend by sending a non-string value as the message in a permalink post. To fix this problem, users should upgrade to version 10.0.0, 9.11.1, 9.5.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-47003.

In Rocket.Chat versions 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8 and earlier a medium severity vulnerability CVE-2024-46934 was detected. This vulnerability allows attackers to inject XSS payloads by exploiting the UpdateOTRAck method in Rocket.Chat. To fix this problem, users should upgrade to version 6.13.0, 6.12.1, and backported to 6.11.3, 6.10.6, 6.9.7, 6.8.7, and 6.7.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-46934.

In Mattermost versions 9.10.x <= 9.10.1, 9.9.x <= 9.9.2, and 9.5.x <= 9.5.8 a medium severity vulnerability CVE-2024-9155 was detected. This vulnerability allows attackers to view channel files that have not been linked to a post in channels they are a member of. Currently there is no patch version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-9155.