Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Mattermost_server
(Mattermost)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 212 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2024-01-02 | CVE-2023-48732 | Mattermost fails to scope the WebSocket response around notified users to a each user separately resulting in the WebSocket broadcasting the information about who was notified about a post to everyone else in the channel. | Mattermost_server | 4.3 | ||
| 2024-01-02 | CVE-2023-50333 | Mattermost fails to update the permissions of the current session for a user who was just demoted to guest, allowing freshly demoted guests to change group names. | Mattermost_server | 4.3 | ||
| 2023-12-29 | CVE-2023-7113 | Mattermost version 8.1.6 and earlier fails to sanitize channel mention data in posts, which allows an attacker to inject markup in the web client. | Mattermost_server | 6.1 | ||
| 2023-12-12 | CVE-2023-6727 | Mattermost fails to perform correct authorization checks when creating a playbook action, allowing users without access to the playbook to create playbook actions. If the playbook action created is to post a message in a channel based on specific keywords in a post, some playbook information, like the name, can be leaked. | Mattermost_server | 4.3 | ||
| 2023-12-12 | CVE-2023-45316 | Mattermost fails to validate if a relative path is passed in /plugins/playbooks/api/v0/telemetry/run/<telem_run_id> as a telemetry run ID, allowing an attacker to use a path traversal payload that points to a different endpoint leading to a CSRF attack. | Mattermost_server | 8.8 | ||
| 2023-12-12 | CVE-2023-45847 | Mattermost fails to to check the length when setting the title in a run checklist in Playbooks, allowing an attacker to send a specially crafted request and crash the Playbooks plugin | Mattermost_server | 7.5 | ||
| 2023-12-12 | CVE-2023-46701 | Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plugin allowing an attacker to get limited information about a post if they know the post ID | Mattermost_server | 5.3 | ||
| 2023-12-12 | CVE-2023-49607 | Mattermost fails to validate the type of the "reminder" body request parameter allowing an attacker to crash the Playbook Plugin when updating the status dialog. | Mattermost_server | 7.5 | ||
| 2023-12-12 | CVE-2023-49809 | Mattermost fails to handle a null request body in the /add endpoint, allowing a simple member to send a request with null request body to that endpoint and make it crash. After a few repetitions, the plugin is disabled. | Mattermost_server | 6.5 | ||
| 2023-12-12 | CVE-2023-49874 | Mattermost fails to check whether a user is a guest when updating the tasks of a private playbook run allowing a guest to update the tasks of a private playbook run if they know the run ID. | Mattermost_server | 4.3 |