Filtered by vendor Mattermost Subscriptions
Filtered by product Mattermost Server Subscriptions
Total 212 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2022-1385 1 Mattermost 1 Mattermost Server 2024-08-03 3.7 Low
Mattermost 6.4.x and earlier fails to properly invalidate pending email invitations when the action is performed from the system console, which allows accidentally invited users to join the workspace and access information from the public teams and channels.
CVE-2022-1337 1 Mattermost 1 Mattermost Server 2024-08-03 4.3 Medium
The image proxy component in Mattermost version 6.4.1 and earlier allocates memory for multiple copies of a proxied image, which allows an authenticated attacker to crash the server via links to very large image files.
CVE-2022-1332 1 Mattermost 1 Mattermost Server 2024-08-03 4.3 Medium
One of the API in Mattermost version 6.4.1 and earlier fails to properly protect the permissions, which allows the authenticated members with restricted custom admin role to bypass the restrictions and view the server logs and server config.json file contents.
CVE-2022-0904 1 Mattermost 1 Mattermost Server 2024-08-02 4.3 Medium
A stack overflow bug in the document extractor in Mattermost Server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted Apple Pages document.
CVE-2022-0903 1 Mattermost 1 Mattermost Server 2024-08-02 5.3 Medium
A call stack overflow bug in the SAML login feature in Mattermost server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted POST body.
CVE-2023-50333 1 Mattermost 1 Mattermost Server 2024-08-02 3.7 Low
Mattermost fails to update the permissions of the current session for a user who was just demoted to guest, allowing freshly demoted guests to change group names.
CVE-2023-49874 1 Mattermost 1 Mattermost Server 2024-08-02 4.3 Medium
Mattermost fails to check whether a user is a guest when updating the tasks of a private playbook run allowing a guest to update the tasks of a private playbook run if they know the run ID.
CVE-2023-49809 1 Mattermost 1 Mattermost Server 2024-08-02 4.3 Medium
Mattermost fails to handle a null request body in the /add endpoint, allowing a simple member to send a request with null request body to that endpoint and make it crash. After a few repetitions, the plugin is disabled. 
CVE-2023-49607 1 Mattermost 1 Mattermost Server 2024-08-02 4.3 Medium
Mattermost fails to validate the type of the "reminder" body request parameter allowing an attacker to crash the Playbook Plugin when updating the status dialog.
CVE-2023-48732 1 Mattermost 1 Mattermost Server 2024-08-02 4.3 Medium
Mattermost fails to scope the WebSocket response around notified users to a each user separately resulting in the WebSocket broadcasting the information about who was notified about a post to everyone else in the channel.
CVE-2023-47858 1 Mattermost 1 Mattermost Server 2024-08-02 4.3 Medium
Mattermost fails to properly verify the permissions needed for viewing archived public channels,  allowing a member of one team to get details about the archived public channels of another team via the GET /api/v4/teams/<team-id>/channels/deleted endpoint.
CVE-2023-46701 1 Mattermost 1 Mattermost Server 2024-08-02 6.5 Medium
Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plugin allowing an attacker to get limited information about a post if they know the post ID
CVE-2023-45847 1 Mattermost 1 Mattermost Server 2024-08-02 4.3 Medium
Mattermost fails to to check the length when setting the title in a run checklist in Playbooks, allowing an attacker to send a specially crafted request and crash the Playbooks plugin
CVE-2023-45316 1 Mattermost 1 Mattermost Server 2024-08-02 7.3 High
Mattermost fails to validate if a relative path is passed in /plugins/playbooks/api/v0/telemetry/run/<telem_run_id> as a telemetry run ID, allowing an attacker to use a path traversal payload that points to a different endpoint leading to a CSRF attack.
CVE-2023-27265 1 Mattermost 1 Mattermost Server 2024-08-02 2.7 Low
Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the "Regenerate Invite Id" API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response.
CVE-2023-27266 1 Mattermost 1 Mattermost Server 2024-08-02 2.7 Low
Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the /api/v4/users/me/teams API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response.
CVE-2023-7113 1 Mattermost 1 Mattermost Server 2024-08-02 3.7 Low
Mattermost version 8.1.6 and earlier fails to sanitize channel mention data in posts, which allows an attacker to inject markup in the web client.
CVE-2023-6727 1 Mattermost 1 Mattermost Server 2024-08-02 3.1 Low
Mattermost fails to perform correct authorization checks when creating a playbook action, allowing users without access to the playbook to create playbook actions. If the playbook action created is to post a message in a channel based on specific keywords in a post, some playbook information, like the name, can be leaked. 
CVE-2023-6547 1 Mattermost 1 Mattermost Server 2024-08-02 3.7 Low
Mattermost fails to validate team membership when a user attempts to access a playbook, allowing a user with permissions to a playbook but no permissions to the team the playbook is on to access and modify the playbook. This can happen if the user was once a member of the team, got permissions to the playbook and was then removed from the team. 
CVE-2023-6458 1 Mattermost 1 Mattermost Server 2024-08-02 7.1 High
Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perform a client-side path traversal.