Filtered by vendor Mattermost Subscriptions
Filtered by product Mattermost Server Subscriptions
Total 227 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2023-6459 1 Mattermost 1 Mattermost Server 2024-12-16 5.3 Medium
Mattermost is grouping calls in the /metrics endpoint by id and reports that id in the response. Since this id is the channelID, the public /metrics endpoint is revealing channelIDs.
CVE-2024-2445 1 Mattermost 1 Mattermost Server 2024-12-13 6.1 Medium
Mattermost Jira plugin versions shipped with Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to escape user-controlled outputs when generating HTML pages, which allows an attacker to perform reflected cross-site scripting attacks against the users of the Mattermost server.
CVE-2024-1953 1 Mattermost 1 Mattermost Server 2024-12-13 4.3 Medium
Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, 9.3.0, and 9.4.x before 9.4.2 fail to limit the number of role names requested from the API, allowing an authenticated attacker to cause the server to run out of memory and crash by issuing an unusually large HTTP request.
CVE-2024-1952 1 Mattermost 1 Mattermost Server 2024-12-13 3.1 Low
Mattermost version 8.1.x before 8.1.9 fails to sanitize data associated with permalinks when a plugin updates an ephemeral post, allowing an authenticated attacker who can control the ephemeral post update to access individual posts' contents in channels they are not a member of.
CVE-2024-1949 1 Mattermost 1 Mattermost Server 2024-12-13 2.6 Low
A race condition in Mattermost versions 8.1.x before 8.1.9, and 9.4.x before 9.4.2 allows an authenticated attacker to gain unauthorized access to individual posts' contents via carefully timed post creation while another user deletes posts.
CVE-2024-1942 1 Mattermost 1 Mattermost Server 2024-12-13 4.3 Medium
Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, and 9.3.0 fail to sanitize the metadata on posts containing permalinks under specific conditions, which allows an authenticated attacker to access the contents of individual posts in channels they are not a member of.
CVE-2024-28053 1 Mattermost 1 Mattermost Server 2024-12-13 3.1 Low
Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit the size of the payload that can be read and parsed allowing an attacker to send a very large email payload and crash the server.
CVE-2024-2446 1 Mattermost 1 Mattermost Server 2024-12-13 4.3 Medium
Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to limit the number of @-mentions processed per message, allowing an authenticated attacker to crash the client applications of other users via large, crafted messages.
CVE-2024-2450 1 Mattermost 2 Mattermost, Mattermost Server 2024-12-13 8.8 High
Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to correctly verify account ownership when switching from email to SAML authentication, allowing an authenticated attacker to take over other user accounts via a crafted switch request under specific conditions.
CVE-2024-21848 1 Mattermost 1 Mattermost Server 2024-12-13 3.1 Low
Improper Access Control in Mattermost Server versions 8.1.x before 8.1.11 allows an attacker that is in a channel with an active call to keep participating in the call even if they are removed from the channel
CVE-2024-29221 1 Mattermost 1 Mattermost Server 2024-12-13 4.7 Medium
Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the `/api/v4/users/me/teams` endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users, even if the "Add Members" permission was explicitly removed from team admins.
CVE-2024-2447 1 Mattermost 1 Mattermost Server 2024-12-13 6.5 Medium
Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x before 9.4.4, and 9.5.x before 9.5.2 fail to authenticate the source of certain types of post actions, allowing an authenticated attacker to create posts as other users via a crafted post action.
CVE-2024-28949 1 Mattermost 1 Mattermost Server 2024-12-13 4.3 Medium
Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 don't limit the number of user preferences which allows an attacker to send a large number of user preferences potentially causing denial of service.
CVE-2022-0903 1 Mattermost 1 Mattermost Server 2024-12-07 5.3 Medium
A call stack overflow bug in the SAML login feature in Mattermost server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted POST body.
CVE-2022-0904 1 Mattermost 1 Mattermost Server 2024-12-07 4.3 Medium
A stack overflow bug in the document extractor in Mattermost Server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted Apple Pages document.
CVE-2022-1337 1 Mattermost 1 Mattermost Server 2024-12-07 4.3 Medium
The image proxy component in Mattermost version 6.4.1 and earlier allocates memory for multiple copies of a proxied image, which allows an authenticated attacker to crash the server via links to very large image files.
CVE-2022-1332 1 Mattermost 1 Mattermost Server 2024-12-07 4.3 Medium
One of the API in Mattermost version 6.4.1 and earlier fails to properly protect the permissions, which allows the authenticated members with restricted custom admin role to bypass the restrictions and view the server logs and server config.json file contents.
CVE-2022-1385 1 Mattermost 1 Mattermost Server 2024-12-07 3.7 Low
Mattermost 6.4.x and earlier fails to properly invalidate pending email invitations when the action is performed from the system console, which allows accidentally invited users to join the workspace and access information from the public teams and channels.
CVE-2022-1384 1 Mattermost 1 Mattermost Server 2024-12-07 4.7 Medium
Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which allows an authenticated and an authorized user to install and exploit an old plugin version from the Marketplace which might have known vulnerabilities.
CVE-2022-1982 1 Mattermost 1 Mattermost Server 2024-12-07 4.3 Medium
Uncontrolled resource consumption in Mattermost version 6.6.0 and earlier allows an authenticated attacker to crash the server via a crafted SVG attachment on a post.