Filtered by vendor Mattermost
Subscriptions
Total
311 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2024-39830 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 8.1 High |
Mattermost versions 9.8.x <= 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and 9.5.x <= 9.5.5, when shared channels are enabled, fail to use constant time comparison for remote cluster tokens which allows an attacker to retrieve the remote cluster token via a timing attack during remote cluster token comparison. | ||||
CVE-2024-39807 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 3.1 Low |
Mattermost versions 9.5.x <= 9.5.5 and 9.8.0 fail to properly sanitize the recipients of a webhook event which allows an attacker monitoring webhook events to retrieve the channel IDs of archived or restored channels. | ||||
CVE-2024-39767 | 1 Mattermost | 1 Mattermost Mobile | 2024-08-02 | 4.2 Medium |
Mattermost Mobile Apps versions <=2.16.0 fail to validate that the push notifications received for a server actually came from this serve that which allows a malicious server to send push notifications with another server’s diagnostic ID or server URL and have them show up in mobile apps as that server’s push notifications. | ||||
CVE-2024-39353 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 2.7 Low |
Mattermost versions 9.5.x <= 9.5.5 and 9.8.0 fail to sanitize the RemoteClusterFrame payloads before audit logging them which allows a high privileged attacker with access to the audit logs to read message contents. | ||||
CVE-2024-39361 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 3.1 Low |
Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and 9.5.x <= 9.5.5 fail to prevent users from specifying a RemoteId for their posts which allows an attacker to specify both a remoteId and the post ID, resulting in creating a post with a user-defined post ID. This can cause some broken functionality in the channel or thread with user-defined posts | ||||
CVE-2024-36257 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 2.7 Low |
Mattermost versions 9.5.x <= 9.5.5 and 9.8.0, when using shared channels with multiple remote servers connected, fail to check that the remote server A requesting the server B to update the profile picture of a user is the remote that actually has the user as a local one . This allows a malicious remote A to change the profile images of users that belong to another remote server C that is connected to the server A. | ||||
CVE-2024-32945 | 1 Mattermost | 1 Mattermost Mobile | 2024-08-02 | 2.6 Low |
Mattermost Mobile Apps versions <=2.16.0 fail to protect against abuse of a globally shared MathJax state which allows an attacker to change the contents of a LateX post, by creating another post with specific macro definitions. | ||||
CVE-2024-24776 | 1 Mattermost | 1 Mattermost Server | 2024-08-01 | 3.1 Low |
Mattermost fails to check the required permissions in the POST /api/v4/channels/stats/member_count API resulting in channel member counts being leaked to a user without permissions. | ||||
CVE-2024-23319 | 1 Mattermost | 1 Mattermost Server | 2024-08-01 | 3.5 Low |
Mattermost Jira Plugin fails to protect against logout CSRF allowing an attacker to post a specially crafted message that would disconnect a user's Jira connection in Mattermost only by viewing the message. | ||||
CVE-2024-6428 | 1 Mattermost | 1 Mattermost | 2024-08-01 | 5.3 Medium |
Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2, 9.5.x <= 9.5.5 fail to prevent specifying a RemoteId when creating a new user which allows an attacker to specify both a remoteId and the user ID, resulting in creating a user with a user-defined user ID. This can cause some broken functionality in User Management such administrative actions against the user not working. | ||||
CVE-2024-1402 | 1 Mattermost | 1 Mattermost Server | 2024-08-01 | 4.3 Medium |
Mattermost fails to check if a custom emoji reaction exists when sending it to a post and to limit the amount of custom emojis allowed to be added in a post, allowing an attacker sending a huge amount of non-existent custom emojis in a post to crash the mobile app of a user seeing the post and to crash the server due to overloading when clients attempt to retrive the aforementioned post. |