Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Mattermost_server
(Mattermost)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 206 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2023-03-31 | CVE-2023-1777 | Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message. | Mattermost_server | 5.3 | ||
| 2023-10-09 | CVE-2023-5330 | Mattermost fails to enforce a limit for the size of the cache entry for OpenGraph data allowing an attacker to send a specially crafted request to the /api/v4/opengraph filling the cache and turning the server unavailable. | Mattermost_server | 7.5 | ||
| 2023-10-09 | CVE-2023-5331 | Mattermost fails to properly check the creator of an attached file when adding the file to a draft post, potentially exposing unauthorized file information. | Mattermost_server | 5.3 | ||
| 2023-10-09 | CVE-2023-5333 | Mattermost fails to deduplicate input IDs allowing a simple user to cause the application to consume excessive resources and possibly crash by sending a specially crafted request to /api/v4/users/ids with multiple identical IDs. | Mattermost_server | 6.5 | ||
| 2023-08-25 | CVE-2023-4478 | Mattermost fails to restrict which parameters' values it takes from the request during signup allowing an attacker to register users as inactive, thus blocking them from later accessing Mattermost without the system admin activating their accounts. | Mattermost_server | 8.2 | ||
| 2023-07-17 | CVE-2023-3577 | Mattermost fails to properly restrict requests to localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited blind SSRF. | Mattermost_server | 4.3 | ||
| 2023-07-17 | CVE-2023-3581 | Mattermost fails to properly validate the origin of a websocket connection allowing a MITM attacker on Mattermost to access the websocket APIs. | Mattermost_server | 8.1 | ||
| 2023-07-17 | CVE-2023-3582 | Mattermost fails to verify channel membership when linking a board to a channel allowing a low-privileged authenticated user to link a Board to a private channel they don't have access to, | Mattermost_server | 4.3 | ||
| 2023-07-17 | CVE-2023-3584 | Mattermost fails to properly check the authorization of POST /api/v4/teams when passing a team override scheme ID in the request, allowing an authenticated attacker with knowledge of a Team Override Scheme ID to create a new team with said team override scheme. | Mattermost_server | 3.1 | ||
| 2023-07-17 | CVE-2023-3586 | Mattermost fails to disable public Boards after the "Enable Publicly-Shared Boards" configuration option is disabled, resulting in previously-shared public Boards to remain accessible. | Mattermost_server | 5.4 |