Vulnerabilities (CVE)

Filtered by vendor Mattermost Subscribe
Total 320 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-20866 1 Mattermost 1 Mattermost Server 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in Mattermost Server before 5.12.0. Use of a Proxy HTTP header, rather than the source address in an IP packet header, for obtaining IP address information was mishandled.
CVE-2017-18883 1 Mattermost 1 Mattermost Server 2024-02-28 6.4 MEDIUM 9.1 CRITICAL
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2, when serving as an OAuth 2.0 Service Provider. There is low entropy for authorization data.
CVE-2017-18893 1 Mattermost 1 Mattermost Server 2024-02-28 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. Display names allow XSS.
CVE-2017-18899 1 Mattermost 1 Mattermost Server 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It mishandles IP-based rate limiting.
CVE-2016-11068 1 Mattermost 1 Mattermost Server 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in Mattermost Server before 3.2.0. Attackers could read LDAP fields via injection.
CVE-2018-21249 1 Mattermost 1 Mattermost Server 2024-02-28 4.3 MEDIUM 3.7 LOW
An issue was discovered in Mattermost Server before 5.3.0. It mishandles timing.
CVE-2017-18906 1 Mattermost 1 Mattermost Server 2024-02-28 4.9 MEDIUM 8.1 HIGH
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when Single Sign-On OAuth2 is used. An attacker could claim somebody else's account.
CVE-2020-14451 2 Apple, Mattermost 2 Iphone Os, Mattermost Mobile 2024-02-28 5.0 MEDIUM 7.5 HIGH
An issue was discovered in Mattermost Mobile Apps before 1.29.0. The iOS app allowed Single Sign-On cookies and Local Storage to remain after a logout, aka MMSA-2020-0013.
CVE-2017-18912 1 Mattermost 1 Mattermost Server 2024-02-28 7.5 HIGH 9.8 CRITICAL
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. It allows an attacker to specify a full pathname of a log file.
CVE-2019-20883 1 Mattermost 1 Mattermost Server 2024-02-28 3.5 LOW 4.3 MEDIUM
An issue was discovered in Mattermost Server before 5.8.0, when Town Square is set to Read-Only. Users can pin or unpin a post.
CVE-2017-18877 1 Mattermost 1 Mattermost Server 2024-02-28 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS attacks could occur against an OAuth 2.0 allow/deny page.
CVE-2020-14456 1 Mattermost 1 Mattermost Desktop 2024-02-28 7.5 HIGH 7.3 HIGH
An issue was discovered in Mattermost Desktop App before 4.4.0. The Same Origin Policy is mishandled during access-control decisions for web APIs, aka MMSA-2020-0006.
CVE-2017-18915 1 Mattermost 1 Mattermost Server 2024-02-28 7.5 HIGH 9.8 CRITICAL
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. After a restart of a server, an attacker might suddenly gain API Endpoint access.
CVE-2018-21263 1 Mattermost 1 Mattermost Server 2024-02-28 6.5 MEDIUM 8.8 HIGH
An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. An attacker could authenticate to a different user's account via a crafted SAML response.
CVE-2016-11065 1 Mattermost 1 Mattermost Server 2024-02-28 4.0 MEDIUM 4.3 MEDIUM
An issue was discovered in Mattermost Server before 3.3.0. An attacker could use the WebSocket feature to send pop-up messages to users or change a post's appearance.
CVE-2019-20847 1 Mattermost 1 Mattermost Server 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in Mattermost Server before 5.18.0. An attacker can send a user_typing WebSocket event to any channel.
CVE-2019-20865 1 Mattermost 1 Mattermost Server 2024-02-28 6.8 MEDIUM 8.8 HIGH
An issue was discovered in Mattermost Server before 5.12.0, 5.11.1, 5.10.2, 5.9.2, and 4.10.10. The login page allows CSRF.
CVE-2019-20854 1 Mattermost 1 Mattermost Server 2024-02-28 5.0 MEDIUM 7.5 HIGH
An issue was discovered in Mattermost Server before 5.17.0. It allows remote attackers to cause a denial of service (client-side application crash) via a LaTeX message.
CVE-2017-18890 1 Mattermost 1 Mattermost Server 2024-02-28 4.3 MEDIUM 4.3 MEDIUM
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows an attacker to create a button that, when pressed by a user, launches an API request.
CVE-2017-18904 1 Mattermost 1 Mattermost Server 2024-02-28 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. It allows XSS via an uploaded file.