Zephrfish

**Name of the Vulnerable Software and Affected Versions** Mattermost version 11.6.0 Mattermost version 11.5.3 Mattermost version 11.4.4 Mattermost version 10.11.14 **Description** An issue exists where msgpack-encoded WebSocket frames are not properly validated before memory allocation. This allows an unauthenticated remote attacker to crash the server process and cause a full service outage for all users by sending a crafted binary WebSocket message to the public WebSocket endpoint. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mattermost version 11.6.0 Mattermost version 11.5.3 Mattermost version 11.4.4 Mattermost version 10.11.14 **Description** Authenticated users with file upload or posting permissions can cause a denial of service resulting in server Out of Memory (OOM) by uploading a crafted TIFF file or posting a URL that serves one. This occurs because the software fails to validate the TIFF IFD (Image File Directory) offset in the image header before allocating memory. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.