Security
Headlines
HeadlinesLatestCVEs

Tag

#intel

GHSA-xr3w-rmvj-f6m7: Mattermost has an Observable Timing Discrepancy vulnerability

Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on Cloud API keys and OAuth client secrets.

ghsa
Open in Source
#vulnerability#web#git#oracle#intel#oauth#auth
GHSA-3q4q-wqm6-hvf3: Mattermost has a Missing Authorization vulnerability

Mattermost versions 10.10.x <= 10.10.2, 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to validate email ownership during Slack import process which allows attackers to create verified user accounts with arbitrary email domains via malicious Slack import data to bypass email-based team access restrictions.

GHSA-6q7m-p8cc-998r: Mattermost has a Missing Authorization vulnerability

Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the OAuth state.

GHSA-7cr3-38jm-6p45: Mattermost has a Missing Authorization vulnerability

Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when accessing channel information which allows guest users to discover active public channels and their metadata via the `/api/v4/teams/{team_id}/channels/ids` endpoint

GHSA-r6qj-894f-5hr2: Mattermost has a Missing Authorization vulnerability

Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the RelayState.

GHSA-424h-xj87-m937: Mattermost has an Incorrect Authorization vulnerability

Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the `/api/v4/channels/{channel_id}/members` endpoint

ThreatsDay Bulletin: $15B Crypto Bust, Satellite Spying, Billion-Dollar Smishing, Android RATs & More

The online world is changing fast. Every week, new scams, hacks, and tricks show how easy it’s become to turn everyday technology into a weapon. Tools made to help us work, connect, and stay safe are now being used to steal, spy, and deceive. Hackers don’t always break systems anymore — they use them. They hide inside trusted apps, copy real websites, and trick people into giving up control

The Power of Vector Databases in the New Era of AI Search

In my 15 years as a software engineer, I’ve seen one truth hold constant: traditional databases are brilliant…

F5 Confirms Nation-State Breach, Source Code and Vulnerability Data Stolen

F5 has confirmed it was the victim of a state-sponsored cyberattack that allowed hackers to access its internal…

Open PLC and Planet vulnerabilities

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed one vulnerability in the OpenPLC logic controller and four vulnerabilities in the Planet WGR-500 router.   For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability