Lolcabanon

Name of the Vulnerable Software and Affected Versions: Mattermost versions 9.5.x through 9.5.8 Description: The issue arises from Mattermost's failure to include the metadata endpoints of Oracle Cloud and Alibaba in the SSRF denylist, potentially allowing an attacker to cause a server-side request forgery (SSRF) if Mattermost is deployed in Oracle Cloud or Alibaba. This could enable an attacker to remotely manipulate server requests. Recommendations: For Mattermost versions 9.5.x through 9.5.8, upgrade Mattermost immediately to mitigate the risk of server-side request forgery. As a temporary workaround, consider restricting access to the metadata endpoints of Oracle Cloud and Alibaba to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Mattermost Mobile Apps versions <=2.18.0 Description: The issue arises when the Mattermost Mobile Apps fail to disable autocomplete during login while typing the password and the visible password option is selected. This allows the password to be saved in the dictionary if the user has Swiftkey as the default keyboard and the password contains a special character. The masking of the password must be off for this issue to occur. Recommendations: For Mattermost Mobile Apps versions <=2.18.0, update to a version higher than 2.18.0 to resolve the issue. As a temporary workaround, consider disabling the autocomplete feature in the Swiftkey keyboard settings or avoiding the use of special characters in passwords until a patch is available. Additionally, restricting access to the login feature or using a different keyboard can minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 9.5.x through 9.5.5 Mattermost version 9.8.0 **Description** The issue allows a high-privileged attacker with access to the audit logs to read message contents due to the failure to sanitize the RemoteClusterFrame payloads before audit logging them. **Recommendations** For Mattermost versions 9.5.x through 9.5.5, update to a version that addresses this issue. For Mattermost version 9.8.0, update to a version that addresses this issue. As a temporary workaround, consider restricting access to the audit logs to minimize the risk of exploitation.