Vulnerabilities (CVE)

Filtered by vendor Mattermost Subscribe
Total 320 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-49607 1 Mattermost 1 Mattermost Server 2024-02-28 N/A 7.5 HIGH
Mattermost fails to validate the type of the "reminder" body request parameter allowing an attacker to crash the Playbook Plugin when updating the status dialog.
CVE-2023-48369 1 Mattermost 1 Mattermost 2024-02-28 N/A 5.3 MEDIUM
Mattermost fails to limit the log size of server logs allowing an attacker sending specially crafted requests to different endpoints to potentially overflow the log.
CVE-2023-35075 1 Mattermost 1 Mattermost 2024-02-28 N/A 5.4 MEDIUM
Mattermost fails to use  innerText / textContent when setting the channel name in the webapp during autocomplete, allowing an attacker to inject HTML to a victim's page by create a channel name that is valid HTML. No XSS is possible though. 
CVE-2023-40703 1 Mattermost 1 Mattermost 2024-02-28 N/A 7.5 HIGH
Mattermost fails to properly limit the characters allowed in different fields of a block in Mattermost Boards allowing a attacker to consume excessive resources, possibly leading to Denial of Service, by patching the field of a block using a specially crafted string. 
CVE-2023-6727 1 Mattermost 1 Mattermost Server 2024-02-28 N/A 4.3 MEDIUM
Mattermost fails to perform correct authorization checks when creating a playbook action, allowing users without access to the playbook to create playbook actions. If the playbook action created is to post a message in a channel based on specific keywords in a post, some playbook information, like the name, can be leaked. 
CVE-2023-46701 1 Mattermost 1 Mattermost Server 2024-02-28 N/A 5.3 MEDIUM
Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plugin allowing an attacker to get limited information about a post if they know the post ID
CVE-2023-45316 1 Mattermost 1 Mattermost Server 2024-02-28 N/A 8.8 HIGH
Mattermost fails to validate if a relative path is passed in /plugins/playbooks/api/v0/telemetry/run/<telem_run_id> as a telemetry run ID, allowing an attacker to use a path traversal payload that points to a different endpoint leading to a CSRF attack.
CVE-2023-47858 1 Mattermost 1 Mattermost Server 2024-02-28 N/A 4.3 MEDIUM
Mattermost fails to properly verify the permissions needed for viewing archived public channels,  allowing a member of one team to get details about the archived public channels of another team via the GET /api/v4/teams/<team-id>/channels/deleted endpoint.
CVE-2023-5875 1 Mattermost 1 Mattermost Desktop 2024-02-28 N/A 5.3 MEDIUM
Mattermost Desktop fails to correctly handle permissions or prompt the user for consent on certain sensitive ones allowing media exploitation from a malicious mattermost server
CVE-2023-4106 1 Mattermost 1 Mattermost 2024-02-28 N/A 6.5 MEDIUM
Mattermost fails to check if the requesting user is a guest before performing different actions to public playbooks, resulting a guest being able to view, join, edit, export and archive public playbooks.
CVE-2023-5330 1 Mattermost 1 Mattermost Server 2024-02-28 N/A 7.5 HIGH
Mattermost fails to enforce a limit for the size of the cache entry for OpenGraph data allowing an attacker to send a specially crafted request to the /api/v4/opengraph filling the cache and turning the server unavailable.
CVE-2023-5196 1 Mattermost 1 Mattermost 2024-02-28 N/A 6.5 MEDIUM
Mattermost fails to enforce character limits in all possible notification props allowing an attacker to send a really long value for a notification_prop resulting in the server consuming an abnormal quantity of computing resources and possibly becoming temporarily unavailable for its users.
CVE-2023-5194 1 Mattermost 1 Mattermost 2024-02-28 N/A 4.3 MEDIUM
Mattermost fails to properly validate permissions when demoting and deactivating a user allowing for a system/user manager to demote / deactivate another manager
CVE-2023-5193 1 Mattermost 1 Mattermost 2024-02-28 N/A 2.7 LOW
Mattermost fails to properly check permissions when retrieving a post allowing for a System Role with the permission to manage channels to read the posts of a DM conversation.
CVE-2023-3581 1 Mattermost 1 Mattermost Server 2024-02-28 N/A 8.1 HIGH
Mattermost fails to properly validate the origin of a websocket connection allowing a MITM attacker on Mattermost to access the websocket APIs.
CVE-2023-3615 1 Mattermost 1 Mattermost 2024-02-28 N/A 8.1 HIGH
Mattermost iOS app fails to properly validate the server certificate while initializing the TLS connection allowing a network attacker to intercept the WebSockets connection.
CVE-2023-5522 1 Mattermost 1 Mattermost 2024-02-28 N/A 4.3 MEDIUM
Mattermost Mobile fails to limit the maximum number of Markdown elements in a post allowing an attacker to send a post with hundreds of emojis to a channel and freeze the mobile app of users when viewing that particular channel. 
CVE-2023-3591 1 Mattermost 1 Mattermost Server 2024-02-28 N/A 8.2 HIGH
Mattermost fails to invalidate previously generated password reset tokens when a new reset token was created.
CVE-2023-5339 1 Mattermost 1 Mattermost Desktop 2024-02-28 N/A 5.5 MEDIUM
Mattermost Desktop fails to set an appropriate log level during initial run after fresh installation resulting in logging all keystrokes including password entry being logged. 
CVE-2023-3590 1 Mattermost 1 Mattermost Server 2024-02-28 N/A 7.5 HIGH
Mattermost fails to delete card attachments in Boards, allowing an attacker to access deleted attachments.