Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Mattermost_server
(Mattermost)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 215 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2023-07-17 | CVE-2023-3585 | Mattermost Boards fail to properly validate a board link, allowing an attacker to crash a channel by posting a specially crafted boards link. | Mattermost_server | 4.3 | ||
| 2023-07-17 | CVE-2023-3613 | Mattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing guest accounts to be added or invited to channels by default. | Mattermost_server | 3.5 | ||
| 2023-07-17 | CVE-2023-3614 | Mattermost fails to properly validate a gif image file, allowing an attacker to consume a significant amount of server resources, making the server unresponsive for an extended period of time by linking to specially crafted image file. | Mattermost_server | 3.3 | ||
| 2022-04-13 | CVE-2022-1337 | The image proxy component in Mattermost version 6.4.1 and earlier allocates memory for multiple copies of a proxied image, which allows an authenticated attacker to crash the server via links to very large image files. | Mattermost_server | 6.5 | ||
| 2022-09-09 | CVE-2022-3147 | Mattermost version 7.0.x and earlier fails to sufficiently limit the in-memory sizes of concurrently uploaded JPEG images, which allows authenticated users to cause resource exhaustion on specific system configurations, resulting in server-side Denial of Service. | Mattermost_server | 6.5 | ||
| 2023-05-12 | CVE-2023-2515 | Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin | Mattermost_server | 8.8 | ||
| 2023-04-25 | CVE-2023-2281 | When archiving a team, Mattermost fails to sanitize the related Websocket event sent to currently connected clients. This allows the clients to see the name, display name, description, and other data about the archived team. | Mattermost_server | 4.3 | ||
| 2023-04-17 | CVE-2023-1831 | Mattermost fails to redact from audit logs the user password during user creation and the user password hash in other operations if the experimental audit logging configuration was enabled (ExperimentalAuditSettings section in config). | Mattermost_server | 7.5 | ||
| 2023-03-15 | CVE-2023-1421 | A reflected cross-site scripting vulnerability in the OAuth flow completion endpoints in Mattermost allows an attacker to send AJAX requests on behalf of the victim via sharing a crafted link with a malicious state parameter. | Mattermost_server | 6.1 | ||
| 2022-09-23 | CVE-2022-3257 | Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which allows authenticated users to cause resource exhaustion while processing the file, resulting in server-side Denial of Service. | Mattermost_server | 6.5 |