Vulnerabilities > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-08-01 | CVE-2024-39274 | Unspecified vulnerability in Mattermost Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to properly validate that the channel that comes from the sync message is a shared channel, when shared channels are enabled, which allows a malicious remote to add users to arbitrary teams and channels | 6.5 |
| 2024-08-01 | CVE-2024-39837 | Unspecified vulnerability in Mattermost Server Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly restrict channel creation which allows a malicious remote to create arbitrary channels, when shared channels were enabled. | 5.4 |
| 2024-08-01 | CVE-2024-39839 | Unspecified vulnerability in Mattermost Server Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow users to set their own remote username, when shared channels were enabled, which allows a user on a remote to set their remote username prop to an arbitrary string, which would be then synced to the local server as long as the user hadn't been synced before. | 4.3 |
| 2024-08-01 | CVE-2024-41162 | Unspecified vulnerability in Mattermost Server Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow the modification of local channels by a remote, when shared channels are enabled, which allows a malicious remote to make an arbitrary local channel read-only. | 4.3 |
| 2024-08-01 | CVE-2024-41926 | Origin Validation Error vulnerability in Mattermost Server Mattermost versions 9.9.x <= 9.9.0 and 9.5.x <= 9.5.6 fail to validate the source of sync messages and only allow the correct remote IDs, which allows a malicious remote to set arbitrary RemoteId values for synced users and therefore claim that a user was synced from another remote. | 4.3 |
| 2024-08-01 | CVE-2024-2455 | The Element Pack - Addon for Elementor Page Builder WordPress Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget wrapper link URL in all versions up to, and including, 7.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. network low complexity | 6.4 |
| 2024-08-01 | CVE-2024-6346 | The Gutenberg Blocks, Page Builder – ComboBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the redirectURL parameter of the Date Countdown widget, in all versions up to, and including, 2.2.85a due to insufficient input sanitization and output escaping on user supplied attributes. network low complexity | 6.4 |
| 2024-08-01 | CVE-2024-25948 | Out-of-bounds Write vulnerability in Dell EMC Idrac Service Module Dell iDRAC Service Module version 5.3.0.0 and prior, contain a Out of bound Write Vulnerability. | 4.4 |
| 2024-08-01 | CVE-2024-38481 | Out-of-bounds Read vulnerability in Dell EMC Idrac Service Module Dell iDRAC Service Module version 5.3.0.0 and prior, contain a Out of bound Read Vulnerability. | 4.4 |
| 2024-08-01 | CVE-2024-38489 | Out-of-bounds Write vulnerability in Dell EMC Idrac Service Module Dell iDRAC Service Module version 5.3.0.0 and prior contains Out of bound write Vulnerability. | 4.4 |