Filtered by vendor Mattermost Subscriptions
Filtered by product Mattermost Server Subscriptions
Total 227 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2023-3587 1 Mattermost 1 Mattermost Server 2024-11-21 2.7 Low
Mattermost fails to properly show information in the UI, allowing a system admin to modify a board state allowing any user with a valid sharing link to join the board with editor access, without the UI showing the updated permissions.
CVE-2023-3586 1 Mattermost 1 Mattermost Server 2024-11-21 4.2 Medium
Mattermost fails to disable public Boards after the "Enable Publicly-Shared Boards" configuration option is disabled, resulting in previously-shared public Boards to remain accessible.
CVE-2023-3585 1 Mattermost 1 Mattermost Server 2024-11-21 4.3 Medium
Mattermost Boards fail to properly validate a board link, allowing an attacker to crash a channel by posting a specially crafted boards link.
CVE-2023-3584 1 Mattermost 1 Mattermost Server 2024-11-21 3.1 Low
Mattermost fails to properly check the authorization of POST /api/v4/teams when passing a team override scheme ID in the request, allowing an authenticated attacker with knowledge of a Team Override Scheme ID to create a new team with said team override scheme.
CVE-2023-3582 1 Mattermost 1 Mattermost Server 2024-11-21 4.3 Medium
Mattermost fails to verify channel membership when linking a board to a channel allowing a low-privileged authenticated user to link a Board to a private channel they don't have access to, 
CVE-2023-3581 1 Mattermost 1 Mattermost Server 2024-11-21 6.2 Medium
Mattermost fails to properly validate the origin of a websocket connection allowing a MITM attacker on Mattermost to access the websocket APIs.
CVE-2023-3577 1 Mattermost 1 Mattermost Server 2024-11-21 3.5 Low
Mattermost fails to properly restrict requests to localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited blind SSRF.
CVE-2021-37863 1 Mattermost 1 Mattermost Server 2024-11-21 3.5 Low
Mattermost 6.0 and earlier fails to sufficiently validate parameters during post creation, which allows authenticated attackers to cause a client-side crash of the web application via a maliciously crafted post.
CVE-2021-37862 1 Mattermost 1 Mattermost Server 2024-11-21 3.7 Low
Mattermost 6.0 and earlier fails to sufficiently validate the email address during registration, which allows attackers to trick users into signing up using attacker-controlled email addresses via crafted invitation token.
CVE-2020-14460 1 Mattermost 1 Mattermost Server 2024-11-21 6.5 Medium
An issue was discovered in Mattermost Server before 5.19.0, 5.18.1, 5.17.3, 5.16.5, and 5.9.8. Creation of a trusted OAuth application does not always require admin privileges, aka MMSA-2020-0001.
CVE-2020-14459 1 Mattermost 1 Mattermost Server 2024-11-21 7.5 High
An issue was discovered in Mattermost Server before 5.19.0. Attackers can rename a channel and cause a collision with a direct message, aka MMSA-2020-0002.
CVE-2020-14458 1 Mattermost 1 Mattermost Server 2024-11-21 7.5 High
An issue was discovered in Mattermost Server before 5.19.0. Attackers can discover private channels via the "get channel by name" API, aka MMSA-2020-0004.
CVE-2020-14457 1 Mattermost 1 Mattermost Server 2024-11-21 5.3 Medium
An issue was discovered in Mattermost Server before 5.20.0. Non-members can receive broadcasted team details via the update_team WebSocket event, aka MMSA-2020-0012.
CVE-2020-14453 1 Mattermost 1 Mattermost Server 2024-11-21 7.5 High
An issue was discovered in Mattermost Server before 5.21.0. Socket read operations are not appropriately restricted, which allows attackers to cause a denial of service, aka MMSA-2020-0005.
CVE-2020-14452 1 Mattermost 1 Mattermost Server 2024-11-21 5.3 Medium
An issue was discovered in Mattermost Server before 5.21.0. mmctl allows directory traversal via HTTP, aka MMSA-2020-0014.
CVE-2020-14450 1 Mattermost 1 Mattermost Server 2024-11-21 7.5 High
An issue was discovered in Mattermost Server before 5.22.0. The markdown renderer allows attackers to cause a denial of service (client-side), aka MMSA-2020-0017.
CVE-2020-14448 1 Mattermost 1 Mattermost Server 2024-11-21 7.5 High
An issue was discovered in Mattermost Server before 5.23.0. Automatic direct message replies allow attackers to cause a denial of service (infinite loop), aka MMSA-2020-0020.
CVE-2020-14447 1 Mattermost 1 Mattermost Server 2024-11-21 7.5 High
An issue was discovered in Mattermost Server before 5.23.0. Large webhook requests allow attackers to cause a denial of service (infinite loop), aka MMSA-2020-0021.
CVE-2019-20890 1 Mattermost 1 Mattermost Server 2024-11-21 4.3 Medium
An issue was discovered in Mattermost Server before 5.7. It allows a bypass of e-mail address discovery restrictions.
CVE-2019-20889 1 Mattermost 1 Mattermost Server 2024-11-21 5.3 Medium
An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It mishandles permissions for user-access token creation.