Mattermost fails to properly sanitize the request to /api/v4/redirect_location allowing an attacker, sending a specially crafted request to /api/v4/redirect_location, to fill up the memory due to caching large items.

Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body.