Filtered by vendor Mattermost
Subscribe
Total
287 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-4107 | 1 Mattermost | 1 Mattermost | 2024-02-05 | N/A | 6.5 MEDIUM |
Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin's details such as email, first name and last name. | |||||
CVE-2023-3587 | 1 Mattermost | 1 Mattermost Server | 2024-02-05 | N/A | 2.7 LOW |
Mattermost fails to properly show information in the UI, allowing a system admin to modify a board state allowing any user with a valid sharing link to join the board with editor access, without the UI showing the updated permissions. | |||||
CVE-2023-3584 | 1 Mattermost | 1 Mattermost Server | 2024-02-05 | N/A | 3.1 LOW |
Mattermost fails to properly check the authorization of POST /api/v4/teams when passing a team override scheme ID in the request, allowing an authenticated attacker with knowledge of a Team Override Scheme ID to create a new team with said team override scheme. | |||||
CVE-2023-3582 | 1 Mattermost | 1 Mattermost Server | 2024-02-05 | N/A | 4.3 MEDIUM |
Mattermost fails to verify channel membership when linking a board to a channel allowing a low-privileged authenticated user to link a Board to a private channel they don't have access to, | |||||
CVE-2023-3591 | 1 Mattermost | 1 Mattermost Server | 2024-02-05 | N/A | 8.2 HIGH |
Mattermost fails to invalidate previously generated password reset tokens when a new reset token was created. | |||||
CVE-2023-4105 | 1 Mattermost | 1 Mattermost | 2024-02-05 | N/A | 4.3 MEDIUM |
Mattermost fails to delete the attachments when deleting a message in a thread allowing a simple user to still be able to access and download the attachment of a deleted message | |||||
CVE-2023-3586 | 1 Mattermost | 1 Mattermost Server | 2024-02-05 | N/A | 5.4 MEDIUM |
Mattermost fails to disable public Boards after the "Enable Publicly-Shared Boards" configuration option is disabled, resulting in previously-shared public Boards to remain accessible. | |||||
CVE-2023-3581 | 1 Mattermost | 1 Mattermost Server | 2024-02-05 | N/A | 8.1 HIGH |
Mattermost fails to properly validate the origin of a websocket connection allowing a MITM attacker on Mattermost to access the websocket APIs. | |||||
CVE-2023-4106 | 1 Mattermost | 1 Mattermost | 2024-02-05 | N/A | 6.5 MEDIUM |
Mattermost fails to check if the requesting user is a guest before performing different actions to public playbooks, resulting a guest being able to view, join, edit, export and archive public playbooks. | |||||
CVE-2023-3585 | 1 Mattermost | 1 Mattermost Server | 2024-02-05 | N/A | 4.3 MEDIUM |
Mattermost Boards fail to properly validate a board link, allowing an attacker to crash a channel by posting a specially crafted boards link. | |||||
CVE-2023-3613 | 1 Mattermost | 1 Mattermost Server | 2024-02-05 | N/A | 3.5 LOW |
Mattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing guest accounts to be added or invited to channels by default. | |||||
CVE-2023-3590 | 1 Mattermost | 1 Mattermost Server | 2024-02-05 | N/A | 7.5 HIGH |
Mattermost fails to delete card attachments in Boards, allowing an attacker to access deleted attachments. | |||||
CVE-2023-3614 | 1 Mattermost | 1 Mattermost Server | 2024-02-05 | N/A | 3.3 LOW |
Mattermost fails to properly validate a gif image file, allowing an attacker to consume a significant amount of server resources, making the server unresponsive for an extended period of time by linking to specially crafted image file. | |||||
CVE-2023-3615 | 1 Mattermost | 1 Mattermost | 2024-02-05 | N/A | 8.1 HIGH |
Mattermost iOS app fails to properly validate the server certificate while initializing the TLS connection allowing a network attacker to intercept the WebSockets connection. | |||||
CVE-2023-4108 | 1 Mattermost | 1 Mattermost | 2024-02-05 | N/A | 7.5 HIGH |
Mattermost fails to sanitize post metadata during audit logging resulting in permalinks contents being logged | |||||
CVE-2023-3593 | 1 Mattermost | 1 Mattermost Server | 2024-02-05 | N/A | 6.5 MEDIUM |
Mattermost fails to properly validate markdown, allowing an attacker to crash the server via a specially crafted markdown input. | |||||
CVE-2023-3577 | 1 Mattermost | 1 Mattermost Server | 2024-02-05 | N/A | 4.3 MEDIUM |
Mattermost fails to properly restrict requests to localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited blind SSRF. | |||||
CVE-2023-2193 | 1 Mattermost | 1 Mattermost | 2024-02-04 | N/A | 9.1 CRITICAL |
Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker possessing an authorization code to generate an access token. | |||||
CVE-2023-2515 | 1 Mattermost | 1 Mattermost Server | 2024-02-04 | N/A | 8.8 HIGH |
Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin | |||||
CVE-2023-2831 | 1 Mattermost | 1 Mattermost | 2024-02-04 | N/A | 6.5 MEDIUM |
Mattermost fails to unescape Markdown strings in a memory-efficient way, allowing an attacker to cause a Denial of Service by sending a message containing a large number of escaped characters. |