Vulnerabilities (CVE)

  1. OpenCVE
  2. Vulnerabilities (CVE)
Filtered by vendor Mattermost Subscribe
Filtered by product Mattermost Server

CVSS v3 Filter

ALL
NONE (0.0) LOW (0.1 - 3.9) MEDIUM (4.0 - 6.9) HIGH (7.0 - 8.9) CRITICAL (9.0 - 10.0)

Search

Total 175 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-18901 1 Mattermost 1 Mattermost Server 2020-06-26 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover a team invite ID by requesting a JSON document.
CVE-2017-18900 1 Mattermost 1 Mattermost Server 2020-06-26 7.5 HIGH 9.8 CRITICAL
An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows CSV injection via a compliance report.
CVE-2017-18899 1 Mattermost 1 Mattermost Server 2020-06-26 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It mishandles IP-based rate limiting.
CVE-2017-18896 1 Mattermost 1 Mattermost Server 2020-06-26 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to add DEBUG lines to the logs via a REST API version 3 logging endpoint.
CVE-2017-18895 1 Mattermost 1 Mattermost Server 2020-06-26 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to obtain sensitive information (user statuses) via a REST API version 4 endpoint.
CVE-2017-18894 1 Mattermost 1 Mattermost Server 2020-06-26 5.5 MEDIUM 8.1 HIGH
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. Sometimes. resource-owner authorization is bypassed, allowing account takeover.
CVE-2017-18892 1 Mattermost 1 Mattermost Server 2020-06-26 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. E-mail templates can have a field in which HTML content is not neutralized.
CVE-2017-18911 1 Mattermost 1 Mattermost Server 2020-06-26 6.4 MEDIUM 9.1 CRITICAL
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. The X.509 certificate validation can be skipped for a TLS-based e-mail server.
CVE-2017-18915 1 Mattermost 1 Mattermost Server 2020-06-25 7.5 HIGH 9.8 CRITICAL
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. After a restart of a server, an attacker might suddenly gain API Endpoint access.
CVE-2017-18916 1 Mattermost 1 Mattermost Server 2020-06-25 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. API endpoint access control does not honor an integration permission restriction.
CVE-2017-18919 1 Mattermost 1 Mattermost Server 2020-06-25 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in Mattermost Server before 3.7.0 and 3.6.3. Attackers can use the API for unauthenticated team creation.
CVE-2017-18914 1 Mattermost 1 Mattermost Server 2020-06-25 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. An external link can occur on an error page even if it is not on an allowlist.
CVE-2015-9548 1 Mattermost 1 Mattermost Server 2020-06-25 5.0 MEDIUM 7.5 HIGH
An issue was discovered in Mattermost Server before 1.2.0. It allows attackers to cause a denial of service (memory consumption) via a small compressed file that has a large size when uncompressed.
CVE-2017-18893 1 Mattermost 1 Mattermost Server 2020-06-25 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. Display names allow XSS.
CVE-2017-18902 1 Mattermost 1 Mattermost Server 2020-06-25 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints.
CVE-2018-21263 1 Mattermost 1 Mattermost Server 2020-06-25 6.5 MEDIUM 8.8 HIGH
An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. An attacker could authenticate to a different user's account via a crafted SAML response.
CVE-2018-21260 1 Mattermost 1 Mattermost Server 2020-06-25 4.0 MEDIUM 2.7 LOW
An issue was discovered in Mattermost Server before 4.8.1, 4.7.4, and 4.6.3. WebSocket events were accidentally sent during certain user-management operations, violating user privacy.
CVE-2017-18908 1 Mattermost 1 Mattermost Server 2020-06-25 7.5 HIGH 9.8 CRITICAL
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. A password-reset request was sometime sent to an attacker-provided e-mail address.
CVE-2019-20847 1 Mattermost 1 Mattermost Server 2020-06-25 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in Mattermost Server before 5.18.0. An attacker can send a user_typing WebSocket event to any channel.
CVE-2016-11075 1 Mattermost 1 Mattermost Server 2020-06-25 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in Mattermost Server before 3.0.0. It allows attackers to obtain sensitive information about team URLs via an API.
CVE-2016-11077 1 Mattermost 1 Mattermost Server 2020-06-25 4.0 MEDIUM 2.7 LOW
An issue was discovered in Mattermost Server before 3.0.0. It has a superfluous API in which the System Admin can change the account name and e-mail address of an LDAP account.
CVE-2016-11078 1 Mattermost 1 Mattermost Server 2020-06-25 4.0 MEDIUM 6.5 MEDIUM
An issue was discovered in Mattermost Server before 3.0.0. It potentially allows attackers to obtain sensitive information (credential fields within config.json) via the System Console UI.
CVE-2016-11079 1 Mattermost 1 Mattermost Server 2020-06-25 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a redirect URL.
CVE-2016-11080 1 Mattermost 1 Mattermost Server 2020-06-25 4.0 MEDIUM 4.3 MEDIUM
An issue was discovered in Mattermost Server before 3.0.0. It offers superfluous APIs for a Team Administrator to view account details.
CVE-2016-11082 1 Mattermost 1 Mattermost Server 2020-06-25 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in Mattermost Server before 2.2.0. It allows XSS via a crafted link.
CVE-2016-11081 1 Mattermost 1 Mattermost Server 2020-06-25 4.0 MEDIUM 4.3 MEDIUM
An issue was discovered in Mattermost Server before 2.2.0. It allows unintended access to information stored by a web browser.
CVE-2016-11083 1 Mattermost 1 Mattermost Server 2020-06-25 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in Mattermost Server before 2.2.0. It allows XSS because it configures files to be opened in a browser window.
CVE-2017-18905 1 Mattermost 1 Mattermost Server 2020-06-25 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth 2.0 service provider, Session invalidation was mishandled.
CVE-2016-11071 1 Mattermost 1 Mattermost Server 2020-06-25 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in Mattermost Server before 3.1.0. It allows XSS because the noreferrer and noopener protection mechanisms were not in place.
CVE-2017-18910 1 Mattermost 1 Mattermost Server 2020-06-25 4.0 MEDIUM 4.3 MEDIUM
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. E-mail notifications can have spoofed links.
CVE-2017-18904 1 Mattermost 1 Mattermost Server 2020-06-25 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. It allows XSS via an uploaded file.
CVE-2017-18903 1 Mattermost 1 Mattermost Server 2020-06-25 5.1 MEDIUM 8.8 HIGH
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. CSRF can occur if CORS is enabled.
CVE-2017-18909 1 Mattermost 1 Mattermost Server 2020-06-25 4.3 MEDIUM 7.5 HIGH
An issue was discovered in Mattermost Server before 3.9.0 when SAML is used. Encryption and signature verification are not mandatory.
CVE-2016-11063 1 Mattermost 1 Mattermost Server 2020-06-25 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in Mattermost Server before 3.5.1. XSS can occur via file preview.
CVE-2016-11070 1 Mattermost 1 Mattermost Server 2020-06-25 3.5 LOW 5.4 MEDIUM
An issue was discovered in Mattermost Server before 3.1.0. It allows XSS via theme color-code values.
CVE-2016-11073 1 Mattermost 1 Mattermost Server 2020-06-25 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a Legal or Support setting.
CVE-2016-11067 1 Mattermost 1 Mattermost Server 2020-06-24 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in Mattermost Server before 3.2.0. It allowed crafted posts that could cause a web browser to hang.
CVE-2017-18877 1 Mattermost 1 Mattermost Server 2020-06-24 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS attacks could occur against an OAuth 2.0 allow/deny page.
CVE-2016-11068 1 Mattermost 1 Mattermost Server 2020-06-24 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in Mattermost Server before 3.2.0. Attackers could read LDAP fields via injection.
CVE-2017-18907 1 Mattermost 1 Mattermost Server 2020-06-24 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. XSS could occur via a channel header.
CVE-2017-18913 1 Mattermost 1 Mattermost Server 2020-06-24 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. XSS can occur via a link on an error page.
CVE-2017-18921 1 Mattermost 1 Mattermost Server 2020-06-24 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in Mattermost Server before 3.6.0 and 3.5.2. XSS can occur via a link on an error page.
CVE-2018-21248 1 Mattermost 1 Mattermost Server 2020-06-24 5.0 MEDIUM 7.5 HIGH
An issue was discovered in Mattermost Server before 5.4.0. It mishandles possession of superfluous authentication credentials.
CVE-2016-11066 1 Mattermost 1 Mattermost Server 2020-06-24 5.0 MEDIUM 7.5 HIGH
An issue was discovered in Mattermost Server before 3.2.0. The initial_load API disclosed unnecessary personal information.
CVE-2018-21249 1 Mattermost 1 Mattermost Server 2020-06-23 4.3 MEDIUM 3.7 LOW
An issue was discovered in Mattermost Server before 5.3.0. It mishandles timing.
CVE-2018-21258 1 Mattermost 1 Mattermost Server 2020-06-23 5.0 MEDIUM 7.5 HIGH
An issue was discovered in Mattermost Server before 5.1. It allows attackers to cause a denial of service via the invite_people slash command.
CVE-2016-11084 1 Mattermost 1 Mattermost Server 2020-06-23 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in Mattermost Server before 2.1.0. It allows XSS via CSRF.
CVE-2017-18917 1 Mattermost 1 Mattermost Server 2020-06-23 5.0 MEDIUM 7.5 HIGH
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. Weak hashing was used for e-mail invitations, OAuth, and e-mail verification tokens.
CVE-2017-18918 1 Mattermost 1 Mattermost Server 2020-06-23 4.0 MEDIUM 4.9 MEDIUM
An issue was discovered in Mattermost Server before 3.7.3 and 3.6.5. A System Administrator can place a SAML certificate at an arbitrary pathname.
CVE-2017-18920 1 Mattermost 1 Mattermost Server 2020-06-23 7.5 HIGH 9.8 CRITICAL
An issue was discovered in Mattermost Server before 3.6.2. The WebSocket feature does not follow the Same Origin Policy.