Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Mattermost_server
(Mattermost)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 212 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2023-12-12 | CVE-2023-6547 | Mattermost fails to validate team membership when a user attempts to access a playbook, allowing a user with permissions to a playbook but no permissions to the team the playbook is on to access and modify the playbook. This can happen if the user was once a member of the team, got permissions to the playbook and was then removed from the team. | Mattermost_server | 5.4 | ||
| 2023-12-06 | CVE-2023-6458 | Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perform a client-side path traversal. | Mattermost_server | 9.8 | ||
| 2023-12-06 | CVE-2023-6459 | Mattermost is grouping calls in the /metrics endpoint by id and reports that id in the response. Since this id is the channelID, the public /metrics endpoint is revealing channelIDs. | Mattermost_server | 5.3 | ||
| 2023-02-27 | CVE-2023-27265 | Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the "Regenerate Invite Id" API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response. | Mattermost_server | 2.7 | ||
| 2023-02-27 | CVE-2023-27266 | Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the /api/v4/users/me/teams API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response. | Mattermost_server | 2.7 | ||
| 2023-03-31 | CVE-2023-1774 | When processing an email invite to a private channel on a team, Mattermost fails to validate the inviter's permission to that channel, allowing an attacker to invite themselves to a private channel. | Mattermost_server | 5.4 | ||
| 2023-03-31 | CVE-2023-1775 | When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients. | Mattermost_server | 6.5 | ||
| 2023-03-31 | CVE-2023-1776 | Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file. | Mattermost_server | 5.4 | ||
| 2023-03-31 | CVE-2023-1777 | Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message. | Mattermost_server | 5.3 | ||
| 2023-10-09 | CVE-2023-5330 | Mattermost fails to enforce a limit for the size of the cache entry for OpenGraph data allowing an attacker to send a specially crafted request to the /api/v4/opengraph filling the cache and turning the server unavailable. | Mattermost_server | 7.5 |