Filtered by vendor Mattermost
Subscriptions
Filtered by product Mattermost
Subscriptions
Total
77 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2023-2786 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 4.3 Medium |
Mattermost fails to properly check the permissions when executing commands allowing a member with no permissions to post a message in a channel to actually post it by executing channel commands. | ||||
CVE-2023-2787 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 6.5 Medium |
Mattermost fails to check channel membership when accessing message threads, allowing an attacker to access arbitrary posts by using the message threads API. | ||||
CVE-2023-2808 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 4.3 Medium |
Mattermost fails to normalize UTF confusable characters when determining if a preview should be generated for a hyperlink, allowing an attacker to trigger link preview on a disallowed domain using a specially crafted link. | ||||
CVE-2023-2793 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 6.5 Medium |
Mattermost fails to validate links on external websites when constructing a preview for a linked website, allowing an attacker to cause a denial-of-service by a linking to a specially crafted webpage in a message. | ||||
CVE-2023-2792 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 6.5 Medium |
Mattermost fails to sanitize ephemeral error messages, allowing an attacker to obtain arbitrary message contents by a specially crafted /groupmsg command. | ||||
CVE-2023-2783 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 4.3 Medium |
Mattermost Apps Framework fails to verify that a secret provided in the incoming webhook request allowing an attacker to modify the contents of the post sent by the Apps. | ||||
CVE-2023-2785 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 4.3 Medium |
Mattermost fails to properly truncate the postgres error log message of a search query failure allowing an attacker to cause the creation of large log files which can result in Denial of Service | ||||
CVE-2023-2791 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 4.3 Medium |
When creating a playbook run via the /dialog API, Mattermost fails to validate all parameters, allowing an authenticated attacker to edit an arbitrary channel post. | ||||
CVE-2023-2514 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 6.7 Medium |
Mattermost Sever fails to redact the DB username and password before emitting an application log during server initialization. | ||||
CVE-2023-2193 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 6.5 Medium |
Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker possessing an authorization code to generate an access token. | ||||
CVE-2023-1562 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 3.5 Low |
Mattermost fails to check the "Show Full Name" setting when rendering the result for the /plugins/focalboard/api/v2/users API call, allowing an attacker to learn the full name of a board owner. | ||||
CVE-2024-39830 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 8.1 High |
Mattermost versions 9.8.x <= 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and 9.5.x <= 9.5.5, when shared channels are enabled, fail to use constant time comparison for remote cluster tokens which allows an attacker to retrieve the remote cluster token via a timing attack during remote cluster token comparison. | ||||
CVE-2024-39807 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 3.1 Low |
Mattermost versions 9.5.x <= 9.5.5 and 9.8.0 fail to properly sanitize the recipients of a webhook event which allows an attacker monitoring webhook events to retrieve the channel IDs of archived or restored channels. | ||||
CVE-2024-39353 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 2.7 Low |
Mattermost versions 9.5.x <= 9.5.5 and 9.8.0 fail to sanitize the RemoteClusterFrame payloads before audit logging them which allows a high privileged attacker with access to the audit logs to read message contents. | ||||
CVE-2024-39361 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 3.1 Low |
Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and 9.5.x <= 9.5.5 fail to prevent users from specifying a RemoteId for their posts which allows an attacker to specify both a remoteId and the post ID, resulting in creating a post with a user-defined post ID. This can cause some broken functionality in the channel or thread with user-defined posts | ||||
CVE-2024-36257 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 2.7 Low |
Mattermost versions 9.5.x <= 9.5.5 and 9.8.0, when using shared channels with multiple remote servers connected, fail to check that the remote server A requesting the server B to update the profile picture of a user is the remote that actually has the user as a local one . This allows a malicious remote A to change the profile images of users that belong to another remote server C that is connected to the server A. | ||||
CVE-2024-6428 | 1 Mattermost | 1 Mattermost | 2024-08-01 | 5.3 Medium |
Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2, 9.5.x <= 9.5.5 fail to prevent specifying a RemoteId when creating a new user which allows an attacker to specify both a remoteId and the user ID, resulting in creating a user with a user-defined user ID. This can cause some broken functionality in User Management such administrative actions against the user not working. |