Security
Headlines
HeadlinesLatestCVEs

Tag

#git

GHSA-c6vp-jjgv-38wj: Mattermost allows remote/synthetic users to create sessions, reset passwords

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to ensure that remote/synthetic users cannot create sessions or reset passwords, which allows the munged email addresses, created by shared channels, to be used to receive email notifications and to reset passwords, when they are valid, functional emails.

ghsa
Open in Source
#git
GHSA-4ww8-fprq-cq34: Mattermost doesn't redact remote users' original email addresses

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2, when shared channels are enabled, fail to redact remote users' original email addresses stored in user props when email addresses are otherwise configured not to be visible in the local server.

GHSA-cgrq-wvfj-v28j: Mage AI allows remote unauthenticated attackers to leak the terminal server command history of arbitrary users

Mage AI allows remote unauthenticated attackers to leak the terminal server command history of arbitrary users.

GitHub Patches Critical Security Flaw in Enterprise Server Granting Admin Privileges

GitHub has released fixes to address a set of three security flaws impacting its Enterprise Server product, including one critical bug that could be abused to gain site administrator privileges. The most severe of the shortcomings has been assigned the CVE identifier CVE-2024-6800, and carries a CVSS score of 9.5. "On GitHub Enterprise Server instances that use SAML single sign-on (SSO)

Fraudulent Slack ad shows malvertiser&#8217;s patience and skills

Once again, threat actors seek out Google search ads for top software downloads, but this time they show a lot of patience and bring on evasion tricks.

My child had her data stolen—here’s how to protect your kids from identity theft 

Getting a notification that your child's data has been stolen is sadly becoming more commonplace. Here are some things you can do to avoid identity theft.

GHSA-fpgj-cr28-fvpx: CWA-2024-006: wasmd non-deterministic module_query_safe query

**Component:** wasmd **Criticality:** Medium ([ACMv1](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md): I:Moderate; L:Likely) **Patched versions:** wasmd 0.53.0 See [CWA-2024-006](https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2024-006.md) for more details.

GHSA-g8w7-7vgg-x7xg: CWA-2024-005: Stackoverflow in wasmd

**Component:** wasmd **Criticality:** High ([ACMv1](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md): I:Critical; L:Likely) **Patched versions:** wasmd 0.53.0, 0.46.0 See [CWA-2024-005](https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2024-005.md) for more details.

GHSA-w5pw-gmcw-rfc8: squirrelly Code Injection vulnerability

squirrellyjs squirrelly v9.0.0 was discovered to contain a code injection vulnerability via the component `options.varName`. The issue was fixed in version 9.1.0.

GHSA-w7cp-g8v7-r54m: Apache Airflow Cross-site Scripting Vulnerability

Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link. Users should upgrade to 2.10.0 or later, which fixes this vulnerability.