ghsa

Mattermost Desktop App versions < 6.0.0 fail to sanitize sensitive information from Mattermost logs and clear data on server deletion which allows an attacker with access to the users system to gain access to potentially sensitive information via reading the application logs. A fix is available for direct download via the [Mattermost Desktop](https://github.com/mattermost/desktop/releases/tag/v6.0.0) repository, but it has not been uploaded to the npm registry at time of publication.

Mattermost versions 10.11.x < 10.11.5, 11.0.x < 11.0.4, 10.12.x < 10.12.2 fail to invalidate invite tokens after use which allows malicious actors who have intercepted invite tokens to manipulate channel memberships including adding or removing users from private channels via token replay attack.

Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 fail to check WebSocket request field for proper UTF-8 format, which allows attacker to crash Calls plug-in via sending malformed request.

### Description In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens. ### Affected product and versions Projects are affected if they meet the following preconditions: - Applications using the Auth0 Wordpress plugin with version between 5.0.0-BETA0 and 5.4.0, - Auth0 Wordpress plugin uses the Auth0-PHP SDK with versions between 8.0.0 and 8.17.0. ### Resolution Upgrade Auth0 Wordpress plugin to version 5.5.0 or greater. ### Acknowledgement Okta would like to thank Jafar Sadiq (iaf4r) for their discovery and responsible disclosure.

### Description In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens. ### Affected product and versions Projects are affected if they meet the following preconditions: - Applications using the Auth0 Symfony SDK with versions between 5.0.0 and 5.5.0 - Auth0 Symfony SDK uses the Auth0-PHP SDK with versions between 8.0.0 and 8.17.0. ### Resolution Upgrade Auth0/symfony to version 5.6.0 or greater. ### Acknowledgement Okta would like to thank Jafar Sadiq (iaf4r) for their discovery and responsible disclosure.

### Description In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens. ### Affected product and versions Users are affected if they meet the following preconditions: - Applications using the Auth0 laravel-auth0 SDK with versions between 7.0.0 and 7.19.0, - Auth0 laravel-auth0 SDK uses the Auth0-PHP SDK with versions between 8.0.0 and 8.17.0. ### Resolution Upgrade Auth0/laravel-auth0 to version 7.20.0 or greater. ### Acknowledgement Okta would like to thank Jafar Sadiq (iaf4r) for their discovery and responsible disclosure.

### Description In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens. ### Affected product and versions Projects are affected if they meet the following preconditions: - Applications using the Auth0-PHP SDK, versions between v8.0.0 and v8.17.0, or - Applications using the following SDKs that rely on the Auth0-PHP SDK versions between v8.0.0 and v8.17.0: - a. Auth0/symfony, - b. Auth0/laravel-auth0, - c. Auth0/wordpress. ### Resolution Upgrade Auth0/Auth0-PHP to version 8.18.0 or greater. ### Acknowledgement Okta would like to thank Jafar Sadiq (iaf4r) for their discovery and responsible disclosure.

In mcp-server-git versions prior to 2025.9.25, the git_init tool accepted arbitrary filesystem paths and created Git repositories without validating the target location. Unlike other tools which required an existing repository, git_init could operate on any directory accessible to the server process, making those directories eligible for subsequent git operations. The tool was removed entirely, as the server is intended to operate on existing repositories only. Users are advised to upgrade to 2025.9.25 or newer to remediate this issue. Thank you to https://hackerone.com/yardenporat for disclosure, @0dd for contributing the fix.

An Insecure Direct Object Reference (IDOR) in Pagekit CMS v1.0.18 allows attackers to escalate privileges. The project was archived as of December 1, 2023.

### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-cjwg-qfpm-7377. This link is maintained to preserve external references. ### Original Description In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.