Vulnerabilities (CVE)

Filtered by vendor Mattermost Subscribe
Total 323 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-0903 1 Mattermost 1 Mattermost Server 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
A call stack overflow bug in the SAML login feature in Mattermost server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted POST body.
CVE-2022-0708 1 Mattermost 1 Mattermost 2024-11-21 4.0 MEDIUM 4.3 MEDIUM
Mattermost 6.3.0 and earlier fails to protect email addresses of the creator of the team via one of the APIs, which allows authenticated team members to access this information resulting in sensitive & private information disclosure.
CVE-2021-37867 1 Mattermost 1 Mattermost Boards 2024-11-21 4.0 MEDIUM 4.3 MEDIUM
Mattermost Boards plugin v0.10.0 and earlier fails to protect email addresses of all users via one of the Boards APIs, which allows authenticated and unauthorized users to access this information resulting in sensitive & private information disclosure.
CVE-2021-37866 1 Mattermost 1 Mattermost Boards 2024-11-21 5.0 MEDIUM 4.7 MEDIUM
Mattermost Boards plugin v0.10.0 and earlier fails to invalidate a session on the server-side when a user logged out of Boards, which allows an attacker to reuse old session token for authorization.
CVE-2021-37865 1 Mattermost 1 Mattermost 2024-11-21 3.5 LOW 4.3 MEDIUM
Mattermost 6.2 and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which allows authenticated users to cause resource exhaustion while processing the file, resulting in server-side Denial of Service.
CVE-2021-37864 1 Mattermost 1 Mattermost 2024-11-21 4.0 MEDIUM 2.6 LOW
Mattermost 6.1 and earlier fails to sufficiently validate permissions while viewing archived channels, which allows authenticated users to view contents of archived channels even when this is denied by system administrators by directly accessing the APIs.
CVE-2021-37863 1 Mattermost 1 Mattermost Server 2024-11-21 3.5 LOW 3.5 LOW
Mattermost 6.0 and earlier fails to sufficiently validate parameters during post creation, which allows authenticated attackers to cause a client-side crash of the web application via a maliciously crafted post.
CVE-2021-37862 1 Mattermost 1 Mattermost Server 2024-11-21 5.8 MEDIUM 3.7 LOW
Mattermost 6.0 and earlier fails to sufficiently validate the email address during registration, which allows attackers to trick users into signing up using attacker-controlled email addresses via crafted invitation token.
CVE-2021-37861 1 Mattermost 1 Mattermost 2024-11-21 5.0 MEDIUM 5.8 MEDIUM
Mattermost 6.0.2 and earlier fails to sufficiently sanitize user's password in audit logs when user creation fails.
CVE-2021-37860 1 Mattermost 1 Mattermost 2024-11-21 2.6 LOW 3.7 LOW
Mattermost 5.38 and earlier fails to sufficiently sanitize clipboard contents, which allows a user-assisted attacker to inject arbitrary web script in product deployments that explicitly disable the default CSP.
CVE-2021-37859 1 Mattermost 1 Mattermost 2024-11-21 4.3 MEDIUM 7.1 HIGH
Fixed a bypass for a reflected cross-site scripting vulnerability affecting OAuth-enabled instances of Mattermost.
CVE-2020-14460 1 Mattermost 1 Mattermost Server 2024-11-21 4.0 MEDIUM 6.5 MEDIUM
An issue was discovered in Mattermost Server before 5.19.0, 5.18.1, 5.17.3, 5.16.5, and 5.9.8. Creation of a trusted OAuth application does not always require admin privileges, aka MMSA-2020-0001.
CVE-2020-14459 1 Mattermost 1 Mattermost Server 2024-11-21 5.0 MEDIUM 7.5 HIGH
An issue was discovered in Mattermost Server before 5.19.0. Attackers can rename a channel and cause a collision with a direct message, aka MMSA-2020-0002.
CVE-2020-14458 1 Mattermost 1 Mattermost Server 2024-11-21 5.0 MEDIUM 7.5 HIGH
An issue was discovered in Mattermost Server before 5.19.0. Attackers can discover private channels via the "get channel by name" API, aka MMSA-2020-0004.
CVE-2020-14457 1 Mattermost 1 Mattermost Server 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in Mattermost Server before 5.20.0. Non-members can receive broadcasted team details via the update_team WebSocket event, aka MMSA-2020-0012.
CVE-2020-14456 1 Mattermost 1 Mattermost Desktop 2024-11-21 7.5 HIGH 7.3 HIGH
An issue was discovered in Mattermost Desktop App before 4.4.0. The Same Origin Policy is mishandled during access-control decisions for web APIs, aka MMSA-2020-0006.
CVE-2020-14455 1 Mattermost 1 Mattermost Desktop 2024-11-21 4.3 MEDIUM 6.5 MEDIUM
An issue was discovered in Mattermost Desktop App before 4.4.0. Prompting for HTTP Basic Authentication is mishandled, allowing phishing, aka MMSA-2020-0007.
CVE-2020-14454 1 Mattermost 1 Mattermost Desktop 2024-11-21 5.8 MEDIUM 6.1 MEDIUM
An issue was discovered in Mattermost Desktop App before 4.4.0. Attackers can open web pages in the desktop application because server redirection is mishandled, aka MMSA-2020-0008.
CVE-2020-14453 1 Mattermost 1 Mattermost Server 2024-11-21 5.0 MEDIUM 7.5 HIGH
An issue was discovered in Mattermost Server before 5.21.0. Socket read operations are not appropriately restricted, which allows attackers to cause a denial of service, aka MMSA-2020-0005.
CVE-2020-14452 1 Mattermost 1 Mattermost Server 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in Mattermost Server before 5.21.0. mmctl allows directory traversal via HTTP, aka MMSA-2020-0014.