6.5
CVE-2024-54682 - Zipbomb DoS via Missing Slack Import Validation
Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file uploads which allows a user to cause a DoS via zip bomb by importing data in a team they are a team admin.
6.5
CVE-2024-54083 - DoS via lack of type validation in Calls
Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to properly validate the type of callProps which allows a user to cause a client side (webapp and mobile) DoS to users of particular channels, by sending a specially crafted post.
4.8
CVE-2024-48872 - Bypass of "Max failed attempts" restriction via race condition
Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, and 9.5.x <= 9.5.12 fail to prevent concurrently checking and updating the failed login attempts. which allows an attacker to bypass of "Max failed attempts" restriction and send a big number of login attempts before being bl…
8.1
CVE-2024-12646 - Chunghwa Telecom topm-client - Arbitrary File Delete
The topm-client from Chunghwa Telecom has an Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs thro…
5.3
CVE-2024-9679 -
A Hardcoded Cryptographic key vulnerability existed in DLP Extension 11.11.1.3 which allowed the decryption of previously encrypted user credentials.
6.5
CVE-2024-12645 - Chunghwa Telecom topm-client - Arbitrary File Read
The topm-client from Chunghwa Telecom has an Arbitrary File Read vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection for the APIs, unauthenticated remote attackers could use these APIs throu…
7.1
CVE-2024-12644 - Chunghwa Telecom tbm-client - Arbitrary File Copy and Paste
The tbm-client from Chunghwa Telecom has an Arbitrary File vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phis…
8.1
CVE-2024-12643 - Chunghwa Telecom tbm-client - Arbitrary File Delete
The tbm-client from Chunghwa Telecom has an Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs throu…
4.9
CVE-2024-9678 -
An SQL Injection vulnerability existed in DLP Extension 11.11.1.3. The vulnerability allowed an attacker to perform arbitrary SQL queries potentially leading to command execution.
8.1
CVE-2024-12642 - Chunghwa Telecom TenderDocTransfer - Arbitrary File Write
TenderDocTransfer from Chunghwa Telecom has an Arbitrary File Write vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection for the APIs, unauthenticated remote attackers could use these APIs th…