#vulnerability

Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to enforce MFA on plugin endpoints, which allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes.

Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to restrict command execution in archived channels, which allows authenticated users to run commands in archived channels.

**What is the version information for this release?** Microsoft Edge Channel Microsoft Edge Version Based on Chromium Version Date Released Stable CVE-2024-8904, 129.0.6668.58/.59 9/19/2024

Improper link resolution before file access ('link following') in Microsoft Edge (Chromium-based) allows an authorized attacker to elevate privileges locally.

Two now-patched security flaws impacting Cisco Smart Licensing Utility are seeing active exploitation attempts, according to SANS Internet Storm Center. The two critical-rated vulnerabilities in question are listed below -  CVE-2024-20439 (CVSS score: 9.8) - The presence of an undocumented static user credential for an administrative account that an attacker could exploit to log in to an

March Linux Patch Wednesday. Total vulnerabilities: 1083. 😱 879 in the Linux Kernel. 🤦‍♂️ Two vulnerabilities show signs of exploitation in the wild: 🔻 Code Injection – GLPI (CVE-2022-35914). An old vulnerability from CISA KEV, but first patched on March 3 in RedOS Linux.🔻 Memory Corruption – Safari (CVE-2025-24201). Fixed in WebKitGTK packages in Linux […]

### Impact The issue only occurs when the `CLIENT SETINFO` command times out during connection establishment. The following circumstances can cause such a timeout: 1. The client is configured to transmit its identity. This can be disabled via the `DisableIndentity` flag. 2. There are network connectivity issues 3. The client was configured with aggressive timeouts The impact differs by use case: * **Sticky connections**: Rather than using a connection from the pool on-demand, the caller can stick with a connection. Then you receive persistent out-of-order responses for the lifetime of the connection. * **Pipelines**: All commands in the pipeline receive incorrect responses. * **Default connection pool usage without pipelining**: When used with the default [ConnPool](https://github.com/redis/go-redis/blob/8fadbef84a3f4e7573f8b38e5023fd469470a8a4/internal/pool/pool.go#L77) once a connection is returned after use with [ConnPool#Put](https://github.com/redis/go-redis/blob/8fadbef84a3f4...

### Impact The `APIExport` Virtual Workspace can be used to manage objects in workspaces that bind that `APIExport` for resources defined in the `APIExport` or specified and accepted via permission claims. This allows an API provider (via their `APIExport`) scoped down access to workspaces of API consumers to provide their services properly. The identified vulnerability allows creating or deleting an object via the `APIExport` VirtualWorkspace in any arbitrary target workspace for pre-existing resources. By design, this should only be allowed when the workspace owner decides to give access to an API provider by creating an APIBinding. With this vulnerability, it is possible for an attacker to create and delete objects even if none of these requirements are satisfied, i.e. even if there is no APIBinding in that workspace at all or the workspace owner has created an APIBinding, but rejected a permission claim. ### Patches A fix for this issue has been identified and has been publish...

The data exposure vulnerability in Liferay Portal 7.4.0 through 7.4.3.126, and Liferay DXP 2024.Q3.0, 2024.Q2.0 through 2024.Q2.12, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92 allows an unauthorized user to obtain entry data from forms.

A security issue was discovered in Kubernetes where a malicious or compromised pod could bypass network restrictions enforced by network policies during namespace deletion. The order in which objects are deleted during namespace termination is not defined, and it is possible for network policies to be deleted before the pods that they protect. This can lead to a brief period in which the pods are running, but network policies that should apply to connections to and from the pods are not enforced.