Filtered by vendor Mattermost
Subscribe
Total
320 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-49607 | 1 Mattermost | 1 Mattermost Server | 2024-02-28 | N/A | 7.5 HIGH |
Mattermost fails to validate the type of the "reminder" body request parameter allowing an attacker to crash the Playbook Plugin when updating the status dialog. | |||||
CVE-2023-48369 | 1 Mattermost | 1 Mattermost | 2024-02-28 | N/A | 5.3 MEDIUM |
Mattermost fails to limit the log size of server logs allowing an attacker sending specially crafted requests to different endpoints to potentially overflow the log. | |||||
CVE-2023-35075 | 1 Mattermost | 1 Mattermost | 2024-02-28 | N/A | 5.4 MEDIUM |
Mattermost fails to use innerText / textContent when setting the channel name in the webapp during autocomplete, allowing an attacker to inject HTML to a victim's page by create a channel name that is valid HTML. No XSS is possible though. | |||||
CVE-2023-40703 | 1 Mattermost | 1 Mattermost | 2024-02-28 | N/A | 7.5 HIGH |
Mattermost fails to properly limit the characters allowed in different fields of a block in Mattermost Boards allowing a attacker to consume excessive resources, possibly leading to Denial of Service, by patching the field of a block using a specially crafted string. | |||||
CVE-2023-6727 | 1 Mattermost | 1 Mattermost Server | 2024-02-28 | N/A | 4.3 MEDIUM |
Mattermost fails to perform correct authorization checks when creating a playbook action, allowing users without access to the playbook to create playbook actions. If the playbook action created is to post a message in a channel based on specific keywords in a post, some playbook information, like the name, can be leaked. | |||||
CVE-2023-46701 | 1 Mattermost | 1 Mattermost Server | 2024-02-28 | N/A | 5.3 MEDIUM |
Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plugin allowing an attacker to get limited information about a post if they know the post ID | |||||
CVE-2023-45316 | 1 Mattermost | 1 Mattermost Server | 2024-02-28 | N/A | 8.8 HIGH |
Mattermost fails to validate if a relative path is passed in /plugins/playbooks/api/v0/telemetry/run/<telem_run_id> as a telemetry run ID, allowing an attacker to use a path traversal payload that points to a different endpoint leading to a CSRF attack. | |||||
CVE-2023-47858 | 1 Mattermost | 1 Mattermost Server | 2024-02-28 | N/A | 4.3 MEDIUM |
Mattermost fails to properly verify the permissions needed for viewing archived public channels, allowing a member of one team to get details about the archived public channels of another team via the GET /api/v4/teams/<team-id>/channels/deleted endpoint. | |||||
CVE-2023-5875 | 1 Mattermost | 1 Mattermost Desktop | 2024-02-28 | N/A | 5.3 MEDIUM |
Mattermost Desktop fails to correctly handle permissions or prompt the user for consent on certain sensitive ones allowing media exploitation from a malicious mattermost server | |||||
CVE-2023-4106 | 1 Mattermost | 1 Mattermost | 2024-02-28 | N/A | 6.5 MEDIUM |
Mattermost fails to check if the requesting user is a guest before performing different actions to public playbooks, resulting a guest being able to view, join, edit, export and archive public playbooks. | |||||
CVE-2023-5330 | 1 Mattermost | 1 Mattermost Server | 2024-02-28 | N/A | 7.5 HIGH |
Mattermost fails to enforce a limit for the size of the cache entry for OpenGraph data allowing an attacker to send a specially crafted request to the /api/v4/opengraph filling the cache and turning the server unavailable. | |||||
CVE-2023-5196 | 1 Mattermost | 1 Mattermost | 2024-02-28 | N/A | 6.5 MEDIUM |
Mattermost fails to enforce character limits in all possible notification props allowing an attacker to send a really long value for a notification_prop resulting in the server consuming an abnormal quantity of computing resources and possibly becoming temporarily unavailable for its users. | |||||
CVE-2023-5194 | 1 Mattermost | 1 Mattermost | 2024-02-28 | N/A | 4.3 MEDIUM |
Mattermost fails to properly validate permissions when demoting and deactivating a user allowing for a system/user manager to demote / deactivate another manager | |||||
CVE-2023-5193 | 1 Mattermost | 1 Mattermost | 2024-02-28 | N/A | 2.7 LOW |
Mattermost fails to properly check permissions when retrieving a post allowing for a System Role with the permission to manage channels to read the posts of a DM conversation. | |||||
CVE-2023-3581 | 1 Mattermost | 1 Mattermost Server | 2024-02-28 | N/A | 8.1 HIGH |
Mattermost fails to properly validate the origin of a websocket connection allowing a MITM attacker on Mattermost to access the websocket APIs. | |||||
CVE-2023-3615 | 1 Mattermost | 1 Mattermost | 2024-02-28 | N/A | 8.1 HIGH |
Mattermost iOS app fails to properly validate the server certificate while initializing the TLS connection allowing a network attacker to intercept the WebSockets connection. | |||||
CVE-2023-5522 | 1 Mattermost | 1 Mattermost | 2024-02-28 | N/A | 4.3 MEDIUM |
Mattermost Mobile fails to limit the maximum number of Markdown elements in a post allowing an attacker to send a post with hundreds of emojis to a channel and freeze the mobile app of users when viewing that particular channel. | |||||
CVE-2023-3591 | 1 Mattermost | 1 Mattermost Server | 2024-02-28 | N/A | 8.2 HIGH |
Mattermost fails to invalidate previously generated password reset tokens when a new reset token was created. | |||||
CVE-2023-5339 | 1 Mattermost | 1 Mattermost Desktop | 2024-02-28 | N/A | 5.5 MEDIUM |
Mattermost Desktop fails to set an appropriate log level during initial run after fresh installation resulting in logging all keystrokes including password entry being logged. | |||||
CVE-2023-3590 | 1 Mattermost | 1 Mattermost Server | 2024-02-28 | N/A | 7.5 HIGH |
Mattermost fails to delete card attachments in Boards, allowing an attacker to access deleted attachments. |