Our news and updates

In Drupal versions 11.x-dev a medium severity vulnerability CVE-2024-45440 was detected. This allows attackers to obtain the full directory path of the Drupal installation, which can provide valuable information for further attacks or exploitation, even if error logging is disabled. This vulnerability is currently unpatched. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-45440.

In WordPress versions up to 2.1.0 a medium severity vulnerability CVE-2024-7848 was detected. This vulnerability allows authenticated users, even with low-level access, to access other users’ private files due to improper validation. To fix this issue, users must upgrade WordPress to the latest version. For more details, visit: https://nvd.nist.gov/vuln/detail/CVE-2024-7848.

In Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 a medium severity vulnerability CVE-2024-40884 was detected. This vulnerability allows attackers with team admin access to disable the invite link for new members, even if they don’t have permission to add team members, which can interfere with team management and control. To fix this problem, users should upgrade Mattermost to versions 9.5.8 and 9.10.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-40884.

In Mattermost versions 9.5.x <= 9.5.7 and 9.10.x <= 9.10.0 a medium severity vulnerability CVE-2024-39810 was detected. The ElasticSearch configuration lacks time and size limits on the CA path file, allowing a user with console access to add files like /dev/zero, which can crash the application.  Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-39810.

In Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, and 9.8.x <= 9.8.2 a medium severity vulnerability CVE-2024-39836 was detected. Mattermost versions have a vulnerability where remote or synthetic users can use munged email addresses from shared channels to create sessions and reset passwords if the emails are valid. To fix this problem, users should upgrade to version 9.11.0, 9.9.2, 9.5.8, 9.10.1, or 9.8.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-39836.

In Mattermost versions 9.9.x ≤ 9.9.1, 9.5.x ≤ 9.5.7, 9.10.x ≤ 9.10.0, and 9.8.x ≤ 9.8.2 a medium severity vulnerability CVE-2024-40886 was detected. This vulnerability allows attackers to perform a one-click path traversal and launch a CSRF attack on the User Management page. To fix this problem, users should upgrade to version 9.11.0, 9.9.2, 9.5.8, 9.10.1, 9.8.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-40886.

In Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 a medium severity vulnerability CVE-2024-42411 was detected. This vulnerability allows a user to manipulate the creation date in POST /api/v4/users tricking the admin into believing their account is much older. To fix this problem, users must upgrade to 9.11.0, 9.9.2, 9.5.8, 9.10.1, 9.8.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-42411.

In Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, and 9.8.x <= 9.8.2 a medium severity vulnerability CVE-2024-42497 was detected. This vulnerability allows attackers with read-only access to teams to escalate their permissions and make unauthorized changes to team data, potentially affecting the integrity and confidentiality of the Mattermost system. To fix this problem, users should upgrade Mattermost to versions 9.11.0, 9.9.2, 9.5.8, 9.10.1, and 9.8.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-42497.

In Spring Framework versions 5.3.0 to 5.3.38 a medium severity vulnerability CVE-2024-38808 was detected. This vulnerability allows for a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition. To fix this issue, users must upgrade the Spring Framework version to 5.3.39. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-38808.