Filtered by vendor Mattermost
Subscriptions
Filtered by product Mattermost
Subscriptions
Total
57 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-5196 | 1 Mattermost | 1 Mattermost | 2023-10-03 | 6.5 Medium |
| Mattermost fails to enforce character limits in all possible notification props allowing an attacker to send a really long value for a notification_prop resulting in the server consuming an abnormal quantity of computing resources and possibly becoming temporarily unavailable for its users. | ||||
| CVE-2023-5195 | 1 Mattermost | 1 Mattermost | 2023-10-03 | 5.4 Medium |
| Mattermost fails to properly validate the permissions when soft deleting a team allowing a team member to soft delete other teams that they are not part of | ||||
| CVE-2023-5194 | 1 Mattermost | 1 Mattermost | 2023-10-03 | 4.3 Medium |
| Mattermost fails to properly validate permissions when demoting and deactivating a user allowing for a system/user manager to demote / deactivate another manager | ||||
| CVE-2023-5193 | 1 Mattermost | 1 Mattermost | 2023-10-03 | 2.7 Low |
| Mattermost fails to properly check permissions when retrieving a post allowing for a System Role with the permission to manage channels to read the posts of a DM conversation. | ||||
| CVE-2023-5159 | 1 Mattermost | 1 Mattermost | 2023-10-03 | 2.7 Low |
| Mattermost fails to properly verify the permissions when managing/updating a bot allowing a User Manager role with user edit permissions to manage/update bots. | ||||
| CVE-2023-4106 | 1 Mattermost | 1 Mattermost | 2023-08-15 | 6.5 Medium |
| Mattermost fails to check if the requesting user is a guest before performing different actions to public playbooks, resulting a guest being able to view, join, edit, export and archive public playbooks. | ||||
| CVE-2023-4105 | 1 Mattermost | 1 Mattermost | 2023-08-15 | 4.3 Medium |
| Mattermost fails to delete the attachments when deleting a message in a thread allowing a simple user to still be able to access and download the attachment of a deleted message | ||||
| CVE-2023-4108 | 1 Mattermost | 1 Mattermost | 2023-08-15 | 7.5 High |
| Mattermost fails to sanitize post metadata during audit logging resulting in permalinks contents being logged | ||||
| CVE-2023-4107 | 1 Mattermost | 1 Mattermost | 2023-08-15 | 6.5 Medium |
| Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin's details such as email, first name and last name. | ||||
| CVE-2023-3615 | 1 Mattermost | 1 Mattermost | 2023-07-26 | 8.1 High |
| Mattermost iOS app fails to properly validate the server certificate while initializing the TLS connection allowing a network attacker to intercept the WebSockets connection. | ||||
| CVE-2022-2408 | 1 Mattermost | 1 Mattermost | 2023-06-30 | 4.3 Medium |
| The Guest account feature in Mattermost version 6.7.0 and earlier fails to properly restrict the permissions, which allows a guest user to fetch a list of all public channels in the team, in spite of not being part of those channels. | ||||
| CVE-2022-2406 | 1 Mattermost | 1 Mattermost | 2023-06-30 | 6.5 Medium |
| The legacy Slack import feature in Mattermost version 6.7.0 and earlier fails to properly limit the sizes of imported files, which allows an authenticated attacker to crash the server by importing large files via the Slack import REST API. | ||||
| CVE-2023-2785 | 1 Mattermost | 1 Mattermost | 2023-06-28 | 4.3 Medium |
| Mattermost fails to properly truncate the postgres error log message of a search query failure allowing an attacker to cause the creation of large log files which can result in Denial of Service | ||||
| CVE-2023-2786 | 1 Mattermost | 1 Mattermost | 2023-06-26 | 4.3 Medium |
| Mattermost fails to properly check the permissions when executing commands allowing a member with no permissions to post a message in a channel to actually post it by executing channel commands. | ||||
| CVE-2023-2787 | 1 Mattermost | 1 Mattermost | 2023-06-26 | 6.5 Medium |
| Mattermost fails to check channel membership when accessing message threads, allowing an attacker to access arbitrary posts by using the message threads API. | ||||
| CVE-2023-2788 | 1 Mattermost | 1 Mattermost | 2023-06-26 | 6.5 Medium |
| Mattermost fails to check if an admin user account active after an oauth2 flow is started, allowing an attacker with admin privileges to retain persistent access to Mattermost by obtaining an oauth2 access token while the attacker's account is deactivated. | ||||
| CVE-2023-2791 | 1 Mattermost | 1 Mattermost | 2023-06-26 | 4.3 Medium |
| When creating a playbook run via the /dialog API, Mattermost fails to validate all parameters, allowing an authenticated attacker to edit an arbitrary channel post. | ||||
| CVE-2023-2792 | 1 Mattermost | 1 Mattermost | 2023-06-26 | 6.5 Medium |
| Mattermost fails to sanitize ephemeral error messages, allowing an attacker to obtain arbitrary message contents by a specially crafted /groupmsg command. | ||||
| CVE-2023-2793 | 1 Mattermost | 1 Mattermost | 2023-06-26 | 6.5 Medium |
| Mattermost fails to validate links on external websites when constructing a preview for a linked website, allowing an attacker to cause a denial-of-service by a linking to a specially crafted webpage in a message. | ||||
| CVE-2023-2797 | 1 Mattermost | 1 Mattermost | 2023-06-26 | 6.5 Medium |
| Mattermost fails to sanitize code permalinks, allowing an attacker to preview code from private repositories by posting a specially crafted permalink on a channel. | ||||