Security Vulnerabilities
Permission control vulnerability in the startup recovery module.
Impact: Successful exploitation of this vulnerability will affect availability and confidentiality.
CVSS Score
6.8
EPSS Score
0.0
Published
2025-11-28
Permission control vulnerability in the distributed component.
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVSS Score
8.0
EPSS Score
0.0
Published
2025-11-28
Permission control vulnerability in the App Lock module.
Impact: Successful exploitation of this vulnerability may affect availability.
CVSS Score
5.1
EPSS Score
0.0
Published
2025-11-28
An issue was discovered in Logpoint before 7.7.0. Insufficient input validation and a lack of output escaping in multiple components leads to a cross-site scripting (XSS) vulnerability.
CVSS Score
8.5
EPSS Score
0.0
Published
2025-11-28
An issue was discovered in Logpoint before 7.7.0. An improperly configured access control policy exposes sensitive Logpoint internal service (Redis) information to li-admin users. This can lead to privilege escalation.
CVSS Score
8.8
EPSS Score
0.0
Published
2025-11-28
An issue was discovered in Logpoint before 7.7.0. Sensitive information is exposed in System Processes for an extended period during high CPU load.
CVSS Score
6.5
EPSS Score
0.0
Published
2025-11-28
Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email address used when switching authentication methods and sending a request to the /users/login/sso/code-exchange endpoint. The vulnerability requires ExperimentalEnableAuthenticationTransfer to be enabled (default: enabled) and RequireEmailVerification to be disabled (default: disabled).
CVSS Score
9.9
EPSS Score
0.001
Published
2025-11-27
Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/{channel_id}/common_teams endpoint
CVSS Score
4.3
EPSS Score
0.0
Published
2025-11-27
SQL Injection vulnerability in last usage logs in Devolutions Server.This issue affects Devolutions Server: through 2025.2.20, through 2025.3.8.
CVSS Score
8.8
EPSS Score
0.0
Published
2025-11-27
Exposure of credentials in unintended requests in Devolutions Server.This issue affects Server: through 2025.2.20, through 2025.3.8.
CVSS Score
3.5
EPSS Score
0.0
Published
2025-11-27