ReportizFlow
Filtered by vendor Mattermost
Subscriptions
Total
473 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-12559 | 1 Mattermost | 1 Mattermost | 2025-11-29 | 4.3 Medium |
| Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/{channel_id}/common_teams endpoint | ||||
| CVE-2025-12421 | 1 Mattermost | 1 Mattermost | 2025-11-29 | 9.9 Critical |
| Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email address used when switching authentication methods and sending a request to the /users/login/sso/code-exchange endpoint. The vulnerability requires ExperimentalEnableAuthenticationTransfer to be enabled (default: enabled) and RequireEmailVerification to be disabled (default: disabled). | ||||
| CVE-2025-12419 | 1 Mattermost | 1 Mattermost | 2025-11-29 | 9.9 Critical |
| Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take over a user account via manipulation of authentication data during the OAuth completion flow. This requires email verification to be disabled (default: disabled), OAuth/OpenID Connect to be enabled, and the attacker to control two users in the SSO system with one of them never having logged into Mattermost. | ||||
| CVE-2025-55074 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-11-25 | 3 Low |
| Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects | ||||
| CVE-2025-55073 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-11-20 | 5.4 Medium |
| Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being updated and the MSTeams plugin OAuth flow which allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL. | ||||
| CVE-2025-11794 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-11-20 | 4.9 Medium |
| Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/{user_id}/email/verify/member endpoint | ||||
| CVE-2025-11777 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-11-17 | 3.1 Low |
| Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint | ||||
| CVE-2025-11776 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-11-17 | 4.3 Medium |
| Mattermost versions <11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the `/api/v4/teams/{team_id}/channels/search_archived` endpoint | ||||
| CVE-2025-41436 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-11-17 | 3.1 Low |
| Mattermost versions <11.0 fail to properly enforce the "Allow users to view archived channels" setting which allows regular users to access archived channel content and files via the "Open in Channel" functionality from followed threads | ||||
| CVE-2025-55070 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-11-17 | 6.5 Medium |
| Mattermost versions <11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events | ||||
| CVE-2025-59480 | 1 Mattermost | 2 Mattermost, Mattermost Mobile | 2025-11-14 | 6.1 Medium |
| Mattermost Mobile Apps versions <=2.32.0 fail to verify that SSO redirect tokens originate from the trusted server, which allows a malicious Mattermost instance or on-path attacker to obtain user session credentials via crafted token-in-URL responses | ||||
| CVE-2025-47700 | 1 Mattermost | 3 Mattermost, Mattermost Server, Server | 2025-10-29 | 3.5 Low |
| Mattermost Server versions 10.5.x <= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into clicking malicious links via post actions | ||||
| CVE-2025-55035 | 1 Mattermost | 2 Mattermost, Mattermost Desktop | 2025-10-29 | 6.1 Medium |
| Mattermost Desktop App versions <=5.13.0 fail to manage modals in the Mattermost Desktop App that stops a user with a server that uses basic authentication from accessing their server which allows an attacker that provides a malicious server to the user to deny use of the Desktop App via having the user configure the malicious server and forcing a modal popup that cannot be closed. | ||||
| CVE-2025-58084 | 1 Mattermost | 2 Mattermost, Mattermost Desktop | 2025-10-29 | 3.5 Low |
| Mattermost Desktop App versions <= 5.13.0 fail to validate URLs external to the configured Mattermost servers, allowing an attacker on a server the user has configured to crash the user's application by sending the user a malformed URL. | ||||
| CVE-2025-41443 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-10-29 | 4.3 Medium |
| Mattermost versions 10.5.x <= 10.5.12, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when accessing channel information which allows guest users to discover active public channels and their metadata via the `/api/v4/teams/{team_id}/channels/ids` endpoint | ||||
| CVE-2025-58073 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-10-22 | 8.1 High |
| Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the OAuth state. | ||||
| CVE-2025-58075 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-10-22 | 8.1 High |
| Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the RelayState | ||||
| CVE-2025-10545 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-10-21 | 3.1 Low |
| Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the `/api/v4/channels/{channel_id}/members` endpoint | ||||
| CVE-2025-41410 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-10-21 | 5.4 Medium |
| Mattermost versions 10.10.x <= 10.10.2, 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to validate email ownership during Slack import process which allows attackers to create verified user accounts with arbitrary email domains via malicious Slack import data to bypass email-based team access restrictions | ||||
| CVE-2025-54499 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-10-21 | 3.1 Low |
| Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on Cloud API keys and OAuth client secrets | ||||