J5Oh

**Name of the Vulnerable Software and Affected Versions** fleetdm/fleet versions prior to 4.13 **Description** The issue is an authorization bypass problem that affects all versions of fleetdm/fleet that use the teams feature. Fleet instances without teams or with teams but without restricted team accounts are not affected. In affected versions, a team admin can erroneously add themselves as admin, maintainer, or observer on other teams. **Recommendations** For versions prior to 4.13, upgrade to version 4.13 to resolve the issue. As a temporary workaround, consider restricting team admin privileges to prevent unauthorized access to other teams. Avoid using the teams feature with restricted team accounts until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Online Discussion Forum version 1.0 Description: The messaging subsystem is susceptible to a cross-site scripting (XSS) issue in the message body, allowing an authenticated user to send messages containing javascript code that executes when the recipient views the messages page. Recommendations: For Online Discussion Forum version 1.0, consider disabling the messaging subsystem until a patch is available to prevent potential XSS attacks. Restrict access to the message body feature to minimize the risk of exploitation. Avoid allowing users to include javascript code in messages until the issue is resolved.