Our news and updates

In GitLab Enterprise Edition versions starting from 16.5 and prior to 17.2.8, from 17.3 and prior to 17.3.4, and from 17.4 and prior to 17.4.1 a medium severity vulnerability CVE-2024-4278 was detected. This vulnerability allows a maintainer to obtain a Dependency Proxy password by editing specific settings. To address this issue, it is recommended to update to versions 17.2.8, 17.3.4, or 17.4.1 or higher. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-4278.

In Spring Framework versions 6.1.0 – 6.1.11, 6.0.0 – 6.0.22, 5.3.0 – 5.3.37 a medium severity vulnerability CVE-2024-38809 was detected in applications that parse ETags from “If-Match” or “If-None-Match” request headers. This vulnerability allows attackers to execute a Denial of Service attack. To fix this issue, upgrade to versions 6.1.x to 6.1.12, 6.0.x to 6.0.23, and 5.3.x to 5.3.38. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-38809.

In Mautic versions from 1.0.0-beta2 to 4.4.11 a critical severity vulnerability CVE-2021-27915 was detected. This vulnerability allows logged-in users with appropriate permissions to exploit XSS vulnerabilities in the description fields. This could result in elevated access to the system. To fix this issue, upgrade to version 4.4.12 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-27915.

In Mattermost versions 9.11.x <= 9.11.0, 9.10.x <= 9.10.1, 9.9.x <= 9.9.2, and 9.5.x <= 9.5.8 a medium severity vulnerability was detected. This vulnerability allows attackers to retrieve post and file information from archived channels, even when viewing archived channels is disabled. Examples include flagged or unread posts and files. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-42406.

In Authentik versions prior to 2024.8.3 and 2024.6.5 a medium severity vulnerability CVE-2024-47077 was detected. This vulnerability allows attackers to steal access tokens from one application and use them to access or impersonate users in other applications without authorization. To fix this issue, users should upgrade Authentik to versions 2024.8.3 or 2024.6.5. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-47077.

In Mautic versions 1.0.0-beta4 to 4.4.12 and 5.0.0-alpha to 5.1.0 (mautic/core and mautic/core-lib via Composer) a high severity vulnerability CVE-2021-27917 was detected. This stored XSS vulnerability allows attackers to inject malicious scripts into the contact tracking and page hits report, potentially compromising sensitive data. To fix this issue, users must upgrade to versions 4.4.13 or 5.1.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2021-27917.

In Rocket.Chat versions 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier a high severity vulnerability CVE-2024-47048 was detected. This vulnerability allows attackers to inject harmful code into app descriptions, which could lead to stealing personal data or taking control of user accounts. To fix this issue, users should upgrade Rocket.Chat to version 6.12.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-47048.

In Rocket.Chat versions 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier a low severity vulnerability CVE-2024-46936 was detected. Rocket.Chat is vulnerable to message forgery, allowing attackers to impersonate other users and send fake messages. To fix this problem, users should upgrade to version 6.13.0, 6.12.1, and the backported versions 6.11.3, 6.10.6, 6.9.7, 6.8.7, and 6.7.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-46936.

In Rocket.Chat versions 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier a medium severity vulnerability CVE-2024-46935 was detected. This vulnerability allows attackers to crash the Rocket.Chat workspace by sending specially crafted messages, potentially causing a denial of service (DoS). To fix this problem, users should upgrade to version 6.13.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-46935.