(Reducing Attack Surface) Fixed an issue where specific potentially sensitive HTTP responses could end up being cached by proxy servers. Thanks to Dibyajyoti Dutta for contributing to this improvement under the Mattermost responsible disclosure policy. (Authorization) Fixed an issue where demoting a user to a guest would not take immediate effect in an environment with read replicas. Thanks to Erlend Leiknes from mnemonic as for contributing to this improvement under the Mattermost responsible disclosure policy. (Authorization) Fixed an issue where crafted HTTP requests could bypass specific plugin access controls. Mattermost-plugin-autolink 1.2.2, mattermost-plugin-github 2.0.1 Mattermost-plugin-autolink <= 1.2.1, mattermost-plugin-github <=2.0.0 Thanks to Martin Kraft for contributing to this improvement under the Mattermost responsible disclosure policy. (Authorization) Fixed an issue where a specific read-only admin permission could allow the creation of new S3 buckets. Thanks to redacted for contributing to this improvement under the Mattermost responsible disclosure policy.
#MATTERMOST SERVER URL PASSWORD#
(Authorization) Improved the password generation logic used during the bulk user import process. Thanks to Pawan Lal for contributing to this improvement under the Mattermost responsible disclosure policy.
(Authorization) Fixed a bug that required a cache purge or server restart for channel moderation changes to be correctly applied. Thanks to Andrea zi0Black Cappa of Shielder for contributing to this improvement under the Mattermost responsible disclosure policy. (XSS) Fixed a reflected cross-site scripting vulnerability affecting OAuth-enabled instances of Mattermost. Thanks to edu for contributing to this improvement under the Mattermost responsible disclosure policy.
#MATTERMOST SERVER URL ANDROID#
(Injection) Fixed an issue on Android where a malicious app installed on the device could write arbitrary files in Mattermost directories. Thanks to Sheikh Rishad for contributing to this improvement under the Mattermost responsible disclosure policy. (Phishing) Fixed an issue on Android where a malicious app could masquerade as part of the Mattermost app. (XSS) Fixed a bypass for a reflected cross-site scripting vulnerability affecting OAuth-enabled instances of Mattermost. Thanks to Aaditya Purani for contributing to this improvement under the Mattermost responsible disclosure policy.
#MATTERMOST SERVER URL CODE#
(Remote Code Execution) Upgraded Electron to prevent latest vulnerabilities. Thanks to RyotaK for contributing to this improvement under the Mattermost responsible disclosure policy. (Remote Code Execution) Changed the default choice for security dialogs to prevent unintentional approval of dangerous actions. Thanks to Elnerd for contributing to this improvement under the Mattermost responsible disclosure policy. (Input Validation) Fixed an issue where a specially crafted link bypassed security checks and allowed opening arbitrary web pages within the desktop app. Thanks to p3rr0 for contributing to this improvement under the Mattermost responsible disclosure policy. ( Reducing Attack Surface) Enabled global sandboxing to increase security in the Desktop App.
Thanks to Adrian (thiefmaster) for contributing to this improvement under the Mattermost responsible disclosure policy. ( Authorization) Fixed an issue where an authenticated user was able to access the contents of arbitrary posts under specific conditions. Thanks to sekharlee for contributing to this improvement under the Mattermost responsible disclosure policy. ( Input Validation) Fixed an issue where email addresses were not properly sanitized during registration. Thanks to akash-hamal for contributing to this improvement under the Mattermost responsible disclosure policy.
( Reducing Attack Surface) Fixed an issue where an old email confirmation token was not properly invalidated under specific conditions. Thanks to intrigus for contributing to this improvement under the Mattermost responsible disclosure policy.
( Reducing Attack Surface) Fixed an issue where data was not properly sanitised when copied and pasted on Mattermost. Thanks to Csaba Fitzl for contributing to this improvement under the Mattermost responsible disclosure policy. (Misconfiguration) Implemented additional Electron runtime hardening. Boards is enabled by default from Mattermost version 6.0 onwards. (Information Disclosure) Fixed an issue where Boards, when enabled, logged sensitive information at startup. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. (Denial of Service) Fixed an issue where a maliciously crafted attachment could crash the server.
0 kommentar(er)
