Security Vulnerabilities - CVEs Published In November 2023
Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations.
This issue affects Apache Superset: before 2.1.2.
Users should upgrade to version or above 2.1.2 and run `superset init` to reconstruct the Gamma role or remove `can_read` permission from the mentioned resources.
CVSS Score
4.3
EPSS Score
0.001
Published
2023-11-27
Improper payload validation and an improper REST API response type, made it possible for an authenticated malicious actor to store malicious code into Chart's metadata, this code could get executed if a user specifically accesses a specific deprecated API endpoint. This issue affects Apache Superset versions prior to 2.1.2.
Users are recommended to upgrade to version 2.1.2, which fixes this issue.
CVSS Score
4.3
EPSS Score
0.001
Published
2023-11-27
Mattermost fails to properly check a redirect URL parameter allowing for an open redirect was possible when the user clicked "Back to Mattermost" after providing a invalid custom url scheme in /oauth/{service}/mobile_login?redirect_to=
CVSS Score
4.3
EPSS Score
0.001
Published
2023-11-27
Mattermost fails to limit the amount of data extracted from compressed archives during board import in Mattermost Boards allowing an attacker to consume excessive resources, possibly leading to Denial of Service, by importing a board using a specially crafted zip (zip bomb).
CVSS Score
4.3
EPSS Score
0.001
Published
2023-11-27
Mattermost fails to limit the log size of server logs allowing an attacker sending specially crafted requests to different endpoints to potentially overflow the log.
CVSS Score
4.3
EPSS Score
0.001
Published
2023-11-27
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.This issue affects Apache DolphinScheduler: before 3.2.1.
Users are recommended to upgrade to version 3.2.1, which fixes the issue. At the time of disclosure of this advisory, this version has not yet been released. In the mean time, we recommend you make sure the logs are only available to trusted operators.
CVSS Score
7.5
EPSS Score
0.001
Published
2023-11-27
Mattermost fails to perform proper authorization in the /plugins/focalboard/api/v2/users endpoint allowing an attacker who is a guest user and knows the ID of another user to get their information (e.g. name, surname, nickname) via Mattermost Boards.
CVSS Score
4.3
EPSS Score
0.002
Published
2023-11-27
A Vulnerability in OTRS AgentInterface and ExternalInterface allows the reading of plain text passwords which are send back to the client in the server response-
This issue affects OTRS: from 8.0.X through 8.0.37.
CVSS Score
8.1
EPSS Score
0.002
Published
2023-11-27
Mattermost fails to use innerText / textContent when setting the channel name in the webapp during autocomplete, allowing an attacker to inject HTML to a victim's page by create a channel name that is valid HTML. No XSS is possible though.
CVSS Score
3.1
EPSS Score
0.004
Published
2023-11-27
Mattermost fails to properly limit the characters allowed in different fields of a block in Mattermost Boards allowing a attacker to consume excessive resources, possibly leading to Denial of Service, by patching the field of a block using a specially crafted string.
CVSS Score
4.3
EPSS Score
0.001
Published
2023-11-27