βΌ CVE-2023-3613 βΌ
π Read
via "National Vulnerability Database".
Mattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowingΓ guest accounts to be added or invited to channels by default.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3591 βΌ
π Read
via "National Vulnerability Database".
Mattermost fails to invalidate previously generated password reset tokens when a new reset token was created.π Read
via "National Vulnerability Database".
βΌ CVE-2023-37974 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in Justin Klein WP Social AutoConnect plugin <=Γ 4.6.1 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3590 βΌ
π Read
via "National Vulnerability Database".
MattermostΓ fails to delete card attachments in Boards, allowing an attacker to access deleted attachments.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3581 βΌ
π Read
via "National Vulnerability Database".
Mattermost fails to properly validate the origin of a websocket connection allowing a MITM attacker on Mattermost to access the websocket APIs.π Read
via "National Vulnerability Database".
βΌ CVE-2023-37985 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in FiveStarPlugins Restaurant Menu and Food Ordering plugin <=Γ 2.4.6 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3615 βΌ
π Read
via "National Vulnerability Database".
Mattermost iOS app failsΓ to properlyΓ validate the server certificate while initializing the TLS connection allowing a network attacker to intercept the WebSockets connection.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3587 βΌ
π Read
via "National Vulnerability Database".
Mattermost fails to properly show information in the UI, allowing a system admin to modify a board state allowing any user with a valid sharing link to join the board with editor access, without the UI showing the updated permissions.π Read
via "National Vulnerability Database".
βΌ CVE-2021-37386 βΌ
π Read
via "National Vulnerability Database".
Furukawa 423-41W/AC before v1.1.4 and LD421-21W before v1.3.3 were discovered to contain an HTML injection vulnerability via the serial number update function.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2023-3577 βΌ
π Read
via "National Vulnerability Database".
Mattermost fails to properly restrict requests toΓ localhost/intranet during the interactive dialog, which could allow an attacker to perform a limitedΓ blind SSRF.π Read
via "National Vulnerability Database".
βΌ CVE-2023-35818 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered on Espressif ESP32 3.0 (ESP32_rev300 ROM) devices. An EMFI attack on ECO3 provides the attacker with a capability to influence the PC value at the CPU context level, regardless of Secure Boot and Flash Encryption status. By using this capability, the attacker can exploit another behavior in the chip to gain unauthorized access to the ROM download mode. Access to ROM download mode may be further exploited to read the encrypted flash content in cleartext format or execute stub code.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28767 βΌ
π Read
via "National Vulnerability Database".
The configuration parser fails to sanitize user-controlled input in the Zyxel ATP series firmware versions 5.10 through 5.36, USG FLEX series firmware versionsΓ 5.00 through 5.36,Γ USG FLEX 50(W) series firmware versions 5.10 through 5.36, USG20(W)-VPN series firmware versions 5.10 through 5.36, and VPN series firmware versions 5.00 through 5.36. An unauthenticated, LAN-based attacker could leverage the vulnerability to inject some operating system (OS) commands into the device configuration data on an affected device when the cloud management mode is enabled.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38062 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in Metagauss Download Theme plugin <=Γ 1.0.9 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3586 βΌ
π Read
via "National Vulnerability Database".
Mattermost fails to disableΓ public Boards after the "Enable Publicly-Shared Boards" configuration option is disabled, resulting inΓ previously-sharedΓ public Boards to remain accessible.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3584 βΌ
π Read
via "National Vulnerability Database".
Mattermost fails to properly check the authorization ofΓ POST /api/v4/teams when passing a team override scheme ID in the request,Γ allowing an authenticated attacker with knowledge of a Team Override Scheme ID to create a new team with said team override scheme.π Read
via "National Vulnerability Database".
βΌ CVE-2023-34669 βΌ
π Read
via "National Vulnerability Database".
TOTOLINK CP300+ V5.2cu.7594 contains a Denial of Service vulnerability in function RebootSystem of the file lib/cste_modules/system which can reboot the system.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3614 βΌ
π Read
via "National Vulnerability Database".
Mattermost fails to properly validate a gif image file, allowing an attacker toΓ consume a significant amount of server resources, making the server unresponsive for an extended period of time byΓ linking to specially crafted image file.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3582 βΌ
π Read
via "National Vulnerability Database".
Mattermost fails to verify channel membership when linking a board to a channel allowing a low-privileged authenticated user to link a Board to a private channel they don't have access to,Γ π Read
via "National Vulnerability Database".
βΌ CVE-2023-3593 βΌ
π Read
via "National Vulnerability Database".
Mattermost fails to properly validate markdown, allowing an attacker to crash the server via a specially crafted markdown input.π Read
via "National Vulnerability Database".
βΌ CVE-2023-37475 βΌ
π Read
via "National Vulnerability Database".
Hamba avro is a go lang encoder/decoder implementation of the avro codec specification. In affected versions a well-crafted string passed to avro's `github.com/hamba/avro/v2.Unmarshal()` can throw a `fatal error: runtime: out of memory` which is unrecoverable and can cause denial of service of the consumer of avro. The root cause of the issue is that avro uses part of the input to `Unmarshal()` to determine the size when creating a new slice and hence an attacker may consume arbitrary amounts of memory which in turn may cause the application to crash. This issue has been addressed in commit `b4a402f4` which has been included in release version `2.13.0`. Users are advised to upgrade. There are no known workarounds for this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2021-37384 βΌ
π Read
via "National Vulnerability Database".
A remote command execution (RCE) vulnerability in the web interface component of Furukawa 423-41W/AC before v1.1.4 and LD421-21W before v1.3.3 allows unauthenticated attackers to send arbitrary commands to the device via unspecified vectors.π Read
via "National Vulnerability Database".