Filtered by vendor Mattermost
Subscriptions
Total
311 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-1332 | 1 Mattermost | 1 Mattermost Server | 2024-08-03 | 4.3 Medium |
| One of the API in Mattermost version 6.4.1 and earlier fails to properly protect the permissions, which allows the authenticated members with restricted custom admin role to bypass the restrictions and view the server logs and server config.json file contents. | ||||
| CVE-2022-1003 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 3.3 Low |
| One of the API in Mattermost version 6.3.0 and earlier fails to properly protect the permissions, which allows the system administrators to combine the two distinct privileges/capabilities in a way that allows them to override certain restricted configurations like EnableUploads. | ||||
| CVE-2022-1002 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 2 Low |
| Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, which allows registered users with special permissions to invite guest users to inject unescaped HTML content in the email invitations. | ||||
| CVE-2022-0904 | 1 Mattermost | 1 Mattermost Server | 2024-08-02 | 4.3 Medium |
| A stack overflow bug in the document extractor in Mattermost Server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted Apple Pages document. | ||||
| CVE-2022-0903 | 1 Mattermost | 1 Mattermost Server | 2024-08-02 | 5.3 Medium |
| A call stack overflow bug in the SAML login feature in Mattermost server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted POST body. | ||||
| CVE-2022-0708 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 4.3 Medium |
| Mattermost 6.3.0 and earlier fails to protect email addresses of the creator of the team via one of the APIs, which allows authenticated team members to access this information resulting in sensitive & private information disclosure. | ||||
| CVE-2023-50333 | 1 Mattermost | 1 Mattermost Server | 2024-08-02 | 3.7 Low |
| Mattermost fails to update the permissions of the current session for a user who was just demoted to guest, allowing freshly demoted guests to change group names. | ||||
| CVE-2023-49874 | 1 Mattermost | 1 Mattermost Server | 2024-08-02 | 4.3 Medium |
| Mattermost fails to check whether a user is a guest when updating the tasks of a private playbook run allowing a guest to update the tasks of a private playbook run if they know the run ID. | ||||
| CVE-2023-49809 | 1 Mattermost | 1 Mattermost Server | 2024-08-02 | 4.3 Medium |
| Mattermost fails to handle a null request body in the /add endpoint, allowing a simple member to send a request with null request body to that endpoint and make it crash. After a few repetitions, the plugin is disabled. | ||||
| CVE-2023-49607 | 1 Mattermost | 1 Mattermost Server | 2024-08-02 | 4.3 Medium |
| Mattermost fails to validate the type of the "reminder" body request parameter allowing an attacker to crash the Playbook Plugin when updating the status dialog. | ||||
| CVE-2023-48732 | 1 Mattermost | 1 Mattermost Server | 2024-08-02 | 4.3 Medium |
| Mattermost fails to scope the WebSocket response around notified users to a each user separately resulting in the WebSocket broadcasting the information about who was notified about a post to everyone else in the channel. | ||||
| CVE-2023-48369 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 4.3 Medium |
| Mattermost fails to limit the log size of server logs allowing an attacker sending specially crafted requests to different endpoints to potentially overflow the log. | ||||
| CVE-2023-48268 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 4.3 Medium |
| Mattermost fails to limit the amount of data extracted from compressed archives during board import in Mattermost Boards allowing an attacker to consume excessive resources, possibly leading to Denial of Service, by importing a board using a specially crafted zip (zip bomb). | ||||
| CVE-2023-47865 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 4.3 Medium |
| Mattermost fails to check if hardened mode is enabled when overriding the username and/or the icon when posting a post. If settings allowed integrations to override the username and profile picture when posting, a member could also override the username and icon when making a post even if the Hardened Mode setting was enabled | ||||
| CVE-2023-47858 | 1 Mattermost | 1 Mattermost Server | 2024-08-02 | 4.3 Medium |
| Mattermost fails to properly verify the permissions needed for viewing archived public channels, allowing a member of one team to get details about the archived public channels of another team via the GET /api/v4/teams/<team-id>/channels/deleted endpoint. | ||||
| CVE-2023-47168 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 4.3 Medium |
| Mattermost fails to properly check a redirect URL parameter allowing for an open redirect was possible when the user clicked "Back to Mattermost" after providing a invalid custom url scheme in /oauth/{service}/mobile_login?redirect_to= | ||||
| CVE-2023-46701 | 1 Mattermost | 1 Mattermost Server | 2024-08-02 | 6.5 Medium |
| Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plugin allowing an attacker to get limited information about a post if they know the post ID | ||||
| CVE-2024-2450 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 8.8 High |
| Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to correctly verify account ownership when switching from email to SAML authentication, allowing an authenticated attacker to take over other user accounts via a crafted switch request under specific conditions. | ||||
| CVE-2023-45847 | 1 Mattermost | 1 Mattermost Server | 2024-08-02 | 4.3 Medium |
| Mattermost fails to to check the length when setting the title in a run checklist in Playbooks, allowing an attacker to send a specially crafted request and crash the Playbooks plugin | ||||
| CVE-2023-45316 | 1 Mattermost | 1 Mattermost Server | 2024-08-02 | 7.3 High |
| Mattermost fails to validate if a relative path is passed in /plugins/playbooks/api/v0/telemetry/run/<telem_run_id> as a telemetry run ID, allowing an attacker to use a path traversal payload that points to a different endpoint leading to a CSRF attack. | ||||