Filtered by vendor Mattermost
Subscribe
Search
Total
66 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-7114 | 1 Mattermost | 1 Mattermost | 2024-01-05 | N/A | 8.8 HIGH |
| Mattermost version 2.10.0 and earlier fails to sanitize deeplink paths, which allows an attacker to perform CSRF attacks against the server. | |||||
| CVE-2023-45316 | 1 Mattermost | 1 Mattermost Server | 2023-12-14 | N/A | 8.8 HIGH |
| Mattermost fails to validate if a relative path is passed in /plugins/playbooks/api/v0/telemetry/run/<telem_run_id> as a telemetry run ID, allowing an attacker to use a path traversal payload that points to a different endpoint leading to a CSRF attack. | |||||
| CVE-2023-49607 | 1 Mattermost | 1 Mattermost Server | 2023-12-14 | N/A | 7.5 HIGH |
| Mattermost fails to validate the type of the "reminder" body request parameter allowing an attacker to crash the Playbook Plugin when updating the status dialog. | |||||
| CVE-2023-45847 | 1 Mattermost | 1 Mattermost Server | 2023-12-14 | N/A | 7.5 HIGH |
| Mattermost fails to to check the length when setting the title in a run checklist in Playbooks, allowing an attacker to send a specially crafted request and crash the Playbooks plugin | |||||
| CVE-2023-48268 | 1 Mattermost | 1 Mattermost | 2023-12-01 | N/A | 7.5 HIGH |
| Mattermost fails to limit the amount of data extracted from compressed archives during board import in Mattermost Boards allowing an attacker to consume excessive resources, possibly leading to Denial of Service, by importing a board using a specially crafted zip (zip bomb). | |||||
| CVE-2023-40703 | 1 Mattermost | 1 Mattermost | 2023-12-01 | N/A | 7.5 HIGH |
| Mattermost fails to properly limit the characters allowed in different fields of a block in Mattermost Boards allowing a attacker to consume excessive resources, possibly leading to Denial of Service, by patching the field of a block using a specially crafted string. | |||||
| CVE-2023-4108 | 1 Mattermost | 1 Mattermost | 2023-08-15 | N/A | 7.5 HIGH |
| Mattermost fails to sanitize post metadata during audit logging resulting in permalinks contents being logged | |||||
| CVE-2023-3581 | 1 Mattermost | 1 Mattermost Server | 2023-07-27 | N/A | 8.1 HIGH |
| Mattermost fails to properly validate the origin of a websocket connection allowing a MITM attacker on Mattermost to access the websocket APIs. | |||||
| CVE-2023-3591 | 1 Mattermost | 1 Mattermost Server | 2023-07-27 | N/A | 8.2 HIGH |
| Mattermost fails to invalidate previously generated password reset tokens when a new reset token was created. | |||||
| CVE-2023-3590 | 1 Mattermost | 1 Mattermost Server | 2023-07-27 | N/A | 7.5 HIGH |
| Mattermost fails to delete card attachments in Boards, allowing an attacker to access deleted attachments. | |||||
| CVE-2023-3615 | 1 Mattermost | 1 Mattermost | 2023-07-26 | N/A | 8.1 HIGH |
| Mattermost iOS app fails to properly validate the server certificate while initializing the TLS connection allowing a network attacker to intercept the WebSockets connection. | |||||
| CVE-2022-1548 | 1 Mattermost | 1 Playbooks | 2022-05-12 | 6.5 MEDIUM | 8.8 HIGH |
| Mattermost Playbooks plugin 1.25 and earlier fails to properly restrict user-level permissions, which allows playbook members to escalate their membership privileges and perform actions restricted to playbook admins. | |||||
| CVE-2022-1384 | 1 Mattermost | 1 Mattermost Server | 2022-04-27 | 6.0 MEDIUM | 8.8 HIGH |
| Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which allows an authenticated and an authorized user to install and exploit an old plugin version from the Marketplace which might have known vulnerabilities. | |||||
| CVE-2021-37866 | 1 Mattermost | 1 Mattermost Boards | 2022-02-03 | 5.0 MEDIUM | 7.5 HIGH |
| Mattermost Boards plugin v0.10.0 and earlier fails to invalidate a session on the server-side when a user logged out of Boards, which allows an attacker to reuse old session token for authorization. | |||||
| CVE-2021-37861 | 1 Mattermost | 1 Mattermost | 2021-12-13 | 5.0 MEDIUM | 7.5 HIGH |
| Mattermost 6.0.2 and earlier fails to sufficiently sanitize user's password in audit logs when user creation fails. | |||||
| CVE-2020-14458 | 1 Mattermost | 1 Mattermost Server | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Mattermost Server before 5.19.0. Attackers can discover private channels via the "get channel by name" API, aka MMSA-2020-0004. | |||||
| CVE-2019-20874 | 1 Mattermost | 1 Mattermost Server | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information during a role change. | |||||
| CVE-2019-20880 | 1 Mattermost | 1 Mattermost Server | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6.5, and 4.10.7. It allows attackers to cause a denial of service (memory consumption) via OpenGraph. | |||||
| CVE-2019-20881 | 1 Mattermost | 1 Mattermost Server | 2021-07-21 | 7.5 HIGH | 7.3 HIGH |
| An issue was discovered in Mattermost Server before 5.8.0. It mishandles brute-force attacks against MFA. | |||||
| CVE-2019-20855 | 1 Mattermost | 1 Mattermost Server | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Mattermost Server before 5.16.1, 5.15.2, 5.14.5, and 5.9.6. It allows attackers to obtain sensitive information (local files) during legacy attachment migration. | |||||
| CVE-2019-20859 | 1 Mattermost | 1 Mattermost Server | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Mattermost Server before 5.15.0. Login access control can be bypassed via crafted input. | |||||
| CVE-2020-14451 | 2 Apple, Mattermost | 2 Iphone Os, Mattermost Mobile | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Mattermost Mobile Apps before 1.29.0. The iOS app allowed Single Sign-On cookies and Local Storage to remain after a logout, aka MMSA-2020-0013. | |||||
| CVE-2020-14449 | 1 Mattermost | 1 Mattermost Mobile | 2021-07-21 | 4.3 MEDIUM | 7.5 HIGH |
| An issue was discovered in Mattermost Mobile Apps before 1.30.0. Authorization tokens can sometimes be disclosed to third-party servers, aka MMSA-2020-0018. | |||||
| CVE-2019-20845 | 1 Mattermost | 1 Mattermost Server | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Mattermost Server before 5.18.0. It allows attackers to cause a denial of service (memory consumption) via a large Slack import. | |||||
| CVE-2019-20864 | 1 Mattermost | 1 Mattermost Plugins | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Mattermost Plugins before 5.13.0. The GitHub plugin allows an attacker to attach his Mattermost account to a different person's GitHub account. | |||||
| CVE-2019-20885 | 1 Mattermost | 1 Mattermost Server | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Mattermost Server before 5.8.0. It does not always generate a robots.txt file. | |||||
| CVE-2019-20852 | 1 Mattermost | 1 Mattermost Mobile | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Mattermost Mobile Apps before 1.26.0. Local logging is not blocked for sensitive information (e.g., server addresses or message content). | |||||
| CVE-2020-13891 | 1 Mattermost | 1 Mattermost | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Mattermost Mobile Apps before 1.31.2 on iOS. Unintended third-party servers could sometimes obtain authorization tokens, aka MMSA-2020-0022. | |||||
| CVE-2019-20841 | 1 Mattermost | 1 Mattermost Server | 2021-04-12 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. CSRF can sometimes occur via a crafted web site for account takeover attacks. | |||||
| CVE-2017-18884 | 1 Mattermost | 1 Mattermost Server | 2020-06-30 | 5.5 MEDIUM | 8.1 HIGH |
| An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by using a registered OAuth application with personal access tokens. | |||||
| CVE-2018-21264 | 1 Mattermost | 1 Mattermost Server | 2020-06-30 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. It did not enforce the expiration date of a SAML response. | |||||
| CVE-2019-20848 | 1 Mattermost | 1 Mattermost Mobile | 2020-06-29 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Mattermost Mobile Apps before 1.26.0. The Quick Reply feature mishandles crafted replies. | |||||
| CVE-2017-18906 | 1 Mattermost | 1 Mattermost Server | 2020-06-29 | 4.9 MEDIUM | 8.1 HIGH |
| An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when Single Sign-On OAuth2 is used. An attacker could claim somebody else's account. | |||||
| CVE-2017-18886 | 1 Mattermost | 1 Mattermost Server | 2020-06-26 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows a bypass of restrictions on use of slash commands. | |||||
| CVE-2019-20863 | 1 Mattermost | 1 Mattermost Server | 2020-06-26 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Mattermost Server before 5.13.0. Incoming webhook creation is not properly restricted. | |||||
| CVE-2019-20861 | 1 Mattermost | 1 Mattermost Desktop | 2020-06-26 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Mattermost Desktop App before 4.2.2. It allows attackers to execute arbitrary code via a crafted link. | |||||
| CVE-2017-18871 | 1 Mattermost | 1 Mattermost Server | 2020-06-26 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, 4.3.4, and 4.2.2. It allows attackers to cause a denial of service (application crash) via an @ character before a JavaScript field name. | |||||
| CVE-2016-11069 | 1 Mattermost | 1 Mattermost Server | 2020-06-26 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Mattermost Server before 3.2.0. It mishandles brute-force attempts at password change. | |||||
| CVE-2017-18894 | 1 Mattermost | 1 Mattermost Server | 2020-06-26 | 5.5 MEDIUM | 8.1 HIGH |
| An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. Sometimes. resource-owner authorization is bypassed, allowing account takeover. | |||||
| CVE-2015-9548 | 1 Mattermost | 1 Mattermost Server | 2020-06-25 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Mattermost Server before 1.2.0. It allows attackers to cause a denial of service (memory consumption) via a small compressed file that has a large size when uncompressed. | |||||
| CVE-2018-21263 | 1 Mattermost | 1 Mattermost Server | 2020-06-25 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. An attacker could authenticate to a different user's account via a crafted SAML response. | |||||
| CVE-2020-14456 | 1 Mattermost | 1 Mattermost Desktop | 2020-06-25 | 7.5 HIGH | 7.3 HIGH |
| An issue was discovered in Mattermost Desktop App before 4.4.0. The Same Origin Policy is mishandled during access-control decisions for web APIs, aka MMSA-2020-0006. | |||||
| CVE-2017-18903 | 1 Mattermost | 1 Mattermost Server | 2020-06-25 | 5.1 MEDIUM | 8.8 HIGH |
| An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. CSRF can occur if CORS is enabled. | |||||
| CVE-2017-18909 | 1 Mattermost | 1 Mattermost Server | 2020-06-25 | 4.3 MEDIUM | 7.5 HIGH |
| An issue was discovered in Mattermost Server before 3.9.0 when SAML is used. Encryption and signature verification are not mandatory. | |||||
| CVE-2018-21248 | 1 Mattermost | 1 Mattermost Server | 2020-06-24 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Mattermost Server before 5.4.0. It mishandles possession of superfluous authentication credentials. | |||||
| CVE-2016-11066 | 1 Mattermost | 1 Mattermost Server | 2020-06-24 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Mattermost Server before 3.2.0. The initial_load API disclosed unnecessary personal information. | |||||
| CVE-2018-21258 | 1 Mattermost | 1 Mattermost Server | 2020-06-23 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Mattermost Server before 5.1. It allows attackers to cause a denial of service via the invite_people slash command. | |||||
| CVE-2017-18917 | 1 Mattermost | 1 Mattermost Server | 2020-06-23 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. Weak hashing was used for e-mail invitations, OAuth, and e-mail verification tokens. | |||||
| CVE-2019-20854 | 1 Mattermost | 1 Mattermost Server | 2020-06-23 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Mattermost Server before 5.17.0. It allows remote attackers to cause a denial of service (client-side application crash) via a LaTeX message. | |||||
| CVE-2019-20862 | 1 Mattermost | 1 Mattermost Server | 2020-06-23 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Mattermost Server before 5.13.0. Non-members may fetch a team's slash commands. | |||||