Filtered by vendor Mattermost
Subscriptions
Total
311 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-5969 | 1 Mattermost | 1 Mattermost | 2024-09-17 | 5.3 Medium |
| Mattermost fails to properly sanitize the request to /api/v4/redirect_location allowing an attacker, sending a specially crafted request to /api/v4/redirect_location, to fill up the memory due to caching large items. | ||||
| CVE-2024-45835 | 1 Mattermost | 1 Mattermost Server | 2024-09-17 | 2.5 Low |
| Mattermost Desktop App versions <=5.8.0 fail to sufficiently configure Electron Fuses which allows an attacker to gather Chromium cookies or abuse other misconfigurations via remote/local access. | ||||
| CVE-2024-39772 | 1 Mattermost | 1 Mattermost Server | 2024-09-17 | 3.7 Low |
| Mattermost Desktop App versions <=5.8.0 fail to safeguard screen capture functionality which allows an attacker to silently capture high-quality screenshots via JavaScript APIs. | ||||
| CVE-2023-5967 | 1 Mattermost | 1 Mattermost | 2024-09-12 | 4.3 Medium |
| Mattermost fails to properly validate requests to the Calls plugin, allowing an attacker sending a request without a User Agent header to cause a panic and crash the Calls plugin | ||||
| CVE-2023-5968 | 1 Mattermost | 1 Mattermost | 2024-09-12 | 4.9 Medium |
| Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body. | ||||
| CVE-2023-7114 | 1 Mattermost | 1 Mattermost | 2024-09-09 | 7.1 High |
| Mattermost version 2.10.0 and earlier fails to sanitize deeplink paths, which allows an attacker to perform CSRF attacks against the server. | ||||
| CVE-2023-5195 | 1 Mattermost | 1 Mattermost | 2024-09-05 | 6.5 Medium |
| Mattermost fails to properly validate the permissions when soft deleting a team allowing a team member to soft delete other teams that they are not part of | ||||
| CVE-2023-5194 | 1 Mattermost | 1 Mattermost | 2024-09-05 | 2.7 Low |
| Mattermost fails to properly validate permissions when demoting and deactivating a user allowing for a system/user manager to demote / deactivate another manager | ||||
| CVE-2023-5522 | 1 Mattermost | 1 Mattermost | 2024-09-05 | 4.3 Medium |
| Mattermost Mobile fails to limit the maximum number of Markdown elements in a post allowing an attacker to send a post with hundreds of emojis to a channel and freeze the mobile app of users when viewing that particular channel. | ||||
| CVE-2023-5160 | 1 Mattermost | 1 Mattermost | 2024-09-05 | 4.3 Medium |
| Mattermost fails to check the Show Full Name option at the /api/v4/teams/TEAM_ID/top/team_members endpoint allowing a member to get the full name of another user even if the Show Full Name option was disabled | ||||
| CVE-2023-5330 | 1 Mattermost | 1 Mattermost Server | 2024-09-05 | 4.3 Medium |
| Mattermost fails to enforce a limit for the size of the cache entry for OpenGraph data allowing an attacker to send a specially crafted request to the /api/v4/opengraph filling the cache and turning the server unavailable. | ||||
| CVE-2023-5331 | 1 Mattermost | 1 Mattermost Server | 2024-09-05 | 4.3 Medium |
| Mattermost fails to properly check the creator of an attached file when adding the file to a draft post, potentially exposing unauthorized file information. | ||||
| CVE-2023-5333 | 1 Mattermost | 1 Mattermost Server | 2024-09-05 | 4.3 Medium |
| Mattermost fails to deduplicate input IDs allowing a simple user to cause the application to consume excessive resources and possibly crash by sending a specially crafted request to /api/v4/users/ids with multiple identical IDs. | ||||
| CVE-2023-5339 | 1 Mattermost | 1 Mattermost Desktop | 2024-09-05 | 4.7 Medium |
| Mattermost Desktop fails to set an appropriate log level during initial run after fresh installation resulting in logging all keystrokes including password entry being logged. | ||||
| CVE-2023-5875 | 1 Mattermost | 1 Mattermost Desktop | 2024-09-05 | 3.7 Low |
| Mattermost Desktop fails to correctly handle permissions or prompt the user for consent on certain sensitive ones allowing media exploitation from a malicious mattermost server | ||||
| CVE-2023-5876 | 1 Mattermost | 1 Mattermost Desktop | 2024-09-05 | 3.1 Low |
| Mattermost fails to properly validate a RegExp built off the server URL path, allowing an attacker in control of an enrolled server to mount a Denial Of Service. | ||||
| CVE-2024-39837 | 1 Mattermost | 1 Mattermost Server | 2024-09-04 | 3.8 Low |
| Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly restrict channel creation which allows a malicious remote to create arbitrary channels, when shared channels were enabled. | ||||
| CVE-2024-39839 | 1 Mattermost | 1 Mattermost Server | 2024-09-04 | 4.3 Medium |
| Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow users to set their own remote username, when shared channels were enabled, which allows a user on a remote to set their remote username prop to an arbitrary string, which would be then synced to the local server as long as the user hadn't been synced before. | ||||
| CVE-2024-41144 | 1 Mattermost | 1 Mattermost Server | 2024-09-04 | 5.5 Medium |
| Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to properly validate synced posts, when shared channels are enabled, which allows a malicious remote to create/update/delete arbitrary posts in arbitrary channels | ||||
| CVE-2024-41162 | 1 Mattermost | 1 Mattermost Server | 2024-09-04 | 4.1 Medium |
| Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow the modification of local channels by a remote, when shared channels are enabled, which allows a malicious remote to make an arbitrary local channel read-only. | ||||