Security
Headlines

Headlines Latest CVEs

Headline

GHSA-9h6j-4ffx-cm84: Mattermost doesn't restrict domains LLM can request to contact upstream

Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.9 fail to restrict domains the LLM can request to contact upstream which allows an authenticated user to exfiltrate data from an arbitrary server accessible to the victim via performing a prompt injection in the AI plugin’s Jira tool.

1 month ago

#git #auth #jira

GitHub Advisory Database
GitHub Reviewed
CVE-2025-31363

Mattermost doesn’t restrict domains LLM can request to contact upstream

Low severity GitHub Reviewed Published Apr 16, 2025 to the GitHub Advisory Database • Updated Apr 16, 2025

Package

gomod github.com/mattermost/mattermost/server/v8 (Go)

Affected versions

>= 10.5.0, < 10.5.1

>= 10.4.0, < 10.4.3

>= 9.11.0, < 9.11.10

< 8.0.0-20250218121836-2b5275d87136

Patched versions

10.5.1

10.4.3

9.11.10

8.0.0-20250218121836-2b5275d87136

Published to the GitHub Advisory Database

Apr 16, 2025

Last updated

Apr 16, 2025

ghsa: Latest News

GHSA-8qff-qr5q-5pr8: OpenPGP.js's message signature verification can be spoofed

2 hours ago

GHSA-9x73-87fh-54w9: Gardener allows metadata injection for a project secret which can lead to privilege escalation

3 hours ago

GHSA-3hw7-qj9h-r835: Gardener allows bypassing project secret validation which can lead to privilege escalation

4 hours ago

GHSA-xwgg-m7fx-83wx: Gardener External DNS Management allows malicious google credential in DNS secret to lead to privilege escalation

4 hours ago

GHSA-5rjg-fvgr-3xxf: setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write

7 hours ago