Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Mattermost_server
(Mattermost)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 215 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2023-12-29 | CVE-2023-7113 | Mattermost version 8.1.6 and earlier fails to sanitize channel mention data in posts, which allows an attacker to inject markup in the web client. | Mattermost_server | 6.1 | ||
| 2023-12-12 | CVE-2023-6727 | Mattermost fails to perform correct authorization checks when creating a playbook action, allowing users without access to the playbook to create playbook actions. If the playbook action created is to post a message in a channel based on specific keywords in a post, some playbook information, like the name, can be leaked. | Mattermost_server | 4.3 | ||
| 2023-12-12 | CVE-2023-45316 | Mattermost fails to validate if a relative path is passed in /plugins/playbooks/api/v0/telemetry/run/<telem_run_id> as a telemetry run ID, allowing an attacker to use a path traversal payload that points to a different endpoint leading to a CSRF attack. | Mattermost_server | 8.8 | ||
| 2023-12-12 | CVE-2023-45847 | Mattermost fails to to check the length when setting the title in a run checklist in Playbooks, allowing an attacker to send a specially crafted request and crash the Playbooks plugin | Mattermost_server | 7.5 | ||
| 2023-12-12 | CVE-2023-46701 | Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plugin allowing an attacker to get limited information about a post if they know the post ID | Mattermost_server | 5.3 | ||
| 2023-12-12 | CVE-2023-49607 | Mattermost fails to validate the type of the "reminder" body request parameter allowing an attacker to crash the Playbook Plugin when updating the status dialog. | Mattermost_server | 7.5 | ||
| 2023-12-12 | CVE-2023-49809 | Mattermost fails to handle a null request body in the /add endpoint, allowing a simple member to send a request with null request body to that endpoint and make it crash. After a few repetitions, the plugin is disabled. | Mattermost_server | 6.5 | ||
| 2023-12-12 | CVE-2023-49874 | Mattermost fails to check whether a user is a guest when updating the tasks of a private playbook run allowing a guest to update the tasks of a private playbook run if they know the run ID. | Mattermost_server | 4.3 | ||
| 2023-12-12 | CVE-2023-6547 | Mattermost fails to validate team membership when a user attempts to access a playbook, allowing a user with permissions to a playbook but no permissions to the team the playbook is on to access and modify the playbook. This can happen if the user was once a member of the team, got permissions to the playbook and was then removed from the team. | Mattermost_server | 5.4 | ||
| 2023-12-06 | CVE-2023-6458 | Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perform a client-side path traversal. | Mattermost_server | 9.8 |