Filtered by vendor Mattermost
Subscribe
Total
320 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-3614 | 1 Mattermost | 1 Mattermost Server | 2024-02-28 | N/A | 3.3 LOW |
Mattermost fails to properly validate a gif image file, allowing an attacker to consume a significant amount of server resources, making the server unresponsive for an extended period of time by linking to specially crafted image file. | |||||
CVE-2023-5159 | 1 Mattermost | 1 Mattermost | 2024-02-28 | N/A | 2.7 LOW |
Mattermost fails to properly verify the permissions when managing/updating a bot allowing a User Manager role with user edit permissions to manage/update bots. | |||||
CVE-2023-3584 | 1 Mattermost | 1 Mattermost Server | 2024-02-28 | N/A | 3.1 LOW |
Mattermost fails to properly check the authorization of POST /api/v4/teams when passing a team override scheme ID in the request, allowing an authenticated attacker with knowledge of a Team Override Scheme ID to create a new team with said team override scheme. | |||||
CVE-2023-5160 | 1 Mattermost | 1 Mattermost | 2024-02-28 | N/A | 4.3 MEDIUM |
Mattermost fails to check the Show Full Name option at the /api/v4/teams/TEAM_ID/top/team_members endpoint allowing a member to get the full name of another user even if the Show Full Name option was disabled | |||||
CVE-2023-5195 | 1 Mattermost | 1 Mattermost | 2024-02-28 | N/A | 5.4 MEDIUM |
Mattermost fails to properly validate the permissions when soft deleting a team allowing a team member to soft delete other teams that they are not part of | |||||
CVE-2023-3586 | 1 Mattermost | 1 Mattermost Server | 2024-02-28 | N/A | 5.4 MEDIUM |
Mattermost fails to disable public Boards after the "Enable Publicly-Shared Boards" configuration option is disabled, resulting in previously-shared public Boards to remain accessible. | |||||
CVE-2023-3613 | 1 Mattermost | 1 Mattermost Server | 2024-02-28 | N/A | 3.5 LOW |
Mattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing guest accounts to be added or invited to channels by default. | |||||
CVE-2023-4108 | 1 Mattermost | 1 Mattermost | 2024-02-28 | N/A | 7.5 HIGH |
Mattermost fails to sanitize post metadata during audit logging resulting in permalinks contents being logged | |||||
CVE-2023-3582 | 1 Mattermost | 1 Mattermost Server | 2024-02-28 | N/A | 4.3 MEDIUM |
Mattermost fails to verify channel membership when linking a board to a channel allowing a low-privileged authenticated user to link a Board to a private channel they don't have access to, | |||||
CVE-2023-5968 | 1 Mattermost | 1 Mattermost | 2024-02-28 | N/A | 4.9 MEDIUM |
Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body. | |||||
CVE-2023-5333 | 1 Mattermost | 1 Mattermost Server | 2024-02-28 | N/A | 6.5 MEDIUM |
Mattermost fails to deduplicate input IDs allowing a simple user to cause the application to consume excessive resources and possibly crash by sending a specially crafted request to /api/v4/users/ids with multiple identical IDs. | |||||
CVE-2023-4478 | 1 Mattermost | 1 Mattermost Server | 2024-02-28 | N/A | 8.2 HIGH |
Mattermost fails to restrict which parameters' values it takes from the request during signup allowing an attacker to register users as inactive, thus blocking them from later accessing Mattermost without the system admin activating their accounts. | |||||
CVE-2023-5969 | 1 Mattermost | 1 Mattermost | 2024-02-28 | N/A | 5.3 MEDIUM |
Mattermost fails to properly sanitize the request to /api/v4/redirect_location allowing an attacker, sending a specially crafted request to /api/v4/redirect_location, to fill up the memory due to caching large items. | |||||
CVE-2023-3593 | 1 Mattermost | 1 Mattermost Server | 2024-02-28 | N/A | 6.5 MEDIUM |
Mattermost fails to properly validate markdown, allowing an attacker to crash the server via a specially crafted markdown input. | |||||
CVE-2023-4105 | 1 Mattermost | 1 Mattermost | 2024-02-28 | N/A | 4.3 MEDIUM |
Mattermost fails to delete the attachments when deleting a message in a thread allowing a simple user to still be able to access and download the attachment of a deleted message | |||||
CVE-2023-3577 | 1 Mattermost | 1 Mattermost Server | 2024-02-28 | N/A | 4.3 MEDIUM |
Mattermost fails to properly restrict requests to localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited blind SSRF. | |||||
CVE-2023-5967 | 1 Mattermost | 1 Mattermost | 2024-02-28 | N/A | 4.3 MEDIUM |
Mattermost fails to properly validate requests to the Calls plugin, allowing an attacker sending a request without a User Agent header to cause a panic and crash the Calls plugin | |||||
CVE-2023-5876 | 1 Mattermost | 1 Mattermost Desktop | 2024-02-28 | N/A | 5.3 MEDIUM |
Mattermost fails to properly validate a RegExp built off the server URL path, allowing an attacker in control of an enrolled server to mount a Denial Of Service. | |||||
CVE-2023-5331 | 1 Mattermost | 1 Mattermost Server | 2024-02-28 | N/A | 5.3 MEDIUM |
Mattermost fails to properly check the creator of an attached file when adding the file to a draft post, potentially exposing unauthorized file information. | |||||
CVE-2023-3587 | 1 Mattermost | 1 Mattermost Server | 2024-02-28 | N/A | 2.7 LOW |
Mattermost fails to properly show information in the UI, allowing a system admin to modify a board state allowing any user with a valid sharing link to join the board with editor access, without the UI showing the updated permissions. |