Filtered by vendor Mattermost
Subscriptions
Filtered by product Mattermost Server
Subscriptions
Total
227 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2023-3587 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 2.7 Low |
Mattermost fails to properly show information in the UI, allowing a system admin to modify a board state allowing any user with a valid sharing link to join the board with editor access, without the UI showing the updated permissions. | ||||
CVE-2023-3586 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 4.2 Medium |
Mattermost fails to disable public Boards after the "Enable Publicly-Shared Boards" configuration option is disabled, resulting in previously-shared public Boards to remain accessible. | ||||
CVE-2023-3585 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 4.3 Medium |
Mattermost Boards fail to properly validate a board link, allowing an attacker to crash a channel by posting a specially crafted boards link. | ||||
CVE-2023-3584 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 3.1 Low |
Mattermost fails to properly check the authorization of POST /api/v4/teams when passing a team override scheme ID in the request, allowing an authenticated attacker with knowledge of a Team Override Scheme ID to create a new team with said team override scheme. | ||||
CVE-2023-3582 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 4.3 Medium |
Mattermost fails to verify channel membership when linking a board to a channel allowing a low-privileged authenticated user to link a Board to a private channel they don't have access to, | ||||
CVE-2023-3581 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 6.2 Medium |
Mattermost fails to properly validate the origin of a websocket connection allowing a MITM attacker on Mattermost to access the websocket APIs. | ||||
CVE-2023-3577 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 3.5 Low |
Mattermost fails to properly restrict requests to localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited blind SSRF. | ||||
CVE-2021-37863 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 3.5 Low |
Mattermost 6.0 and earlier fails to sufficiently validate parameters during post creation, which allows authenticated attackers to cause a client-side crash of the web application via a maliciously crafted post. | ||||
CVE-2021-37862 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 3.7 Low |
Mattermost 6.0 and earlier fails to sufficiently validate the email address during registration, which allows attackers to trick users into signing up using attacker-controlled email addresses via crafted invitation token. | ||||
CVE-2020-14460 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 6.5 Medium |
An issue was discovered in Mattermost Server before 5.19.0, 5.18.1, 5.17.3, 5.16.5, and 5.9.8. Creation of a trusted OAuth application does not always require admin privileges, aka MMSA-2020-0001. | ||||
CVE-2020-14459 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 7.5 High |
An issue was discovered in Mattermost Server before 5.19.0. Attackers can rename a channel and cause a collision with a direct message, aka MMSA-2020-0002. | ||||
CVE-2020-14458 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 7.5 High |
An issue was discovered in Mattermost Server before 5.19.0. Attackers can discover private channels via the "get channel by name" API, aka MMSA-2020-0004. | ||||
CVE-2020-14457 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 5.3 Medium |
An issue was discovered in Mattermost Server before 5.20.0. Non-members can receive broadcasted team details via the update_team WebSocket event, aka MMSA-2020-0012. | ||||
CVE-2020-14453 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 7.5 High |
An issue was discovered in Mattermost Server before 5.21.0. Socket read operations are not appropriately restricted, which allows attackers to cause a denial of service, aka MMSA-2020-0005. | ||||
CVE-2020-14452 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 5.3 Medium |
An issue was discovered in Mattermost Server before 5.21.0. mmctl allows directory traversal via HTTP, aka MMSA-2020-0014. | ||||
CVE-2020-14450 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 7.5 High |
An issue was discovered in Mattermost Server before 5.22.0. The markdown renderer allows attackers to cause a denial of service (client-side), aka MMSA-2020-0017. | ||||
CVE-2020-14448 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 7.5 High |
An issue was discovered in Mattermost Server before 5.23.0. Automatic direct message replies allow attackers to cause a denial of service (infinite loop), aka MMSA-2020-0020. | ||||
CVE-2020-14447 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 7.5 High |
An issue was discovered in Mattermost Server before 5.23.0. Large webhook requests allow attackers to cause a denial of service (infinite loop), aka MMSA-2020-0021. | ||||
CVE-2019-20890 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 4.3 Medium |
An issue was discovered in Mattermost Server before 5.7. It allows a bypass of e-mail address discovery restrictions. | ||||
CVE-2019-20889 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 5.3 Medium |
An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It mishandles permissions for user-access token creation. |