Filtered by vendor Mattermost
Subscribe
Total
288 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-5876 | 1 Mattermost | 1 Mattermost Desktop | 2023-11-09 | N/A | 5.3 MEDIUM |
| Mattermost fails to properly validate a RegExp built off the server URL path, allowing an attacker in control of an enrolled server to mount a Denial Of Service. | |||||
| CVE-2023-5875 | 1 Mattermost | 1 Mattermost Desktop | 2023-11-09 | N/A | 5.3 MEDIUM |
| Mattermost Desktop fails to correctly handle permissions or prompt the user for consent on certain sensitive ones allowing media exploitation from a malicious mattermost server | |||||
| CVE-2023-27266 | 1 Mattermost | 1 Mattermost Server | 2023-11-07 | N/A | 2.7 LOW |
| Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the /api/v4/users/me/teams API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response. | |||||
| CVE-2023-27265 | 1 Mattermost | 1 Mattermost Server | 2023-11-07 | N/A | 2.7 LOW |
| Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the "Regenerate Invite Id" API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response. | |||||
| CVE-2023-27264 | 1 Mattermost | 1 Mattermost | 2023-11-07 | N/A | 6.5 MEDIUM |
| A missing permissions check in Mattermost Playbooks in Mattermost allows an attacker to modify a playbook via the /plugins/playbooks/api/v0/playbooks/[playbookID] API. | |||||
| CVE-2023-27263 | 1 Mattermost | 1 Mattermost | 2023-11-07 | N/A | 6.5 MEDIUM |
| A missing permissions check in the /plugins/playbooks/api/v0/runs API in Mattermost allows an attacker to list and view playbooks belonging to a team they are not a member of. | |||||
| CVE-2023-1777 | 1 Mattermost | 1 Mattermost Server | 2023-11-07 | N/A | 5.3 MEDIUM |
| Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message. | |||||
| CVE-2023-1776 | 1 Mattermost | 1 Mattermost Server | 2023-11-07 | N/A | 5.4 MEDIUM |
| Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file. | |||||
| CVE-2023-1775 | 1 Mattermost | 1 Mattermost Server | 2023-11-07 | N/A | 6.5 MEDIUM |
| When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients. | |||||
| CVE-2023-1774 | 1 Mattermost | 1 Mattermost Server | 2023-11-07 | N/A | 5.4 MEDIUM |
| When processing an email invite to a private channel on a team, Mattermost fails to validate the inviter's permission to that channel, allowing an attacker to invite themselves to a private channel. | |||||
| CVE-2023-1562 | 1 Mattermost | 1 Mattermost | 2023-11-07 | N/A | 4.3 MEDIUM |
| Mattermost fails to check the "Show Full Name" setting when rendering the result for the /plugins/focalboard/api/v2/users API call, allowing an attacker to learn the full name of a board owner. | |||||
| CVE-2022-4045 | 1 Mattermost | 1 Mattermost | 2023-11-07 | N/A | 6.5 MEDIUM |
| A denial-of-service vulnerability in the Mattermost allows an authenticated user to crash the server via multiple requests to one of the API endpoints which could fetch a large amount of data. | |||||
| CVE-2022-4019 | 1 Mattermost | 1 Mattermost | 2023-11-07 | N/A | 6.5 MEDIUM |
| A denial-of-service vulnerability in the Mattermost Playbooks plugin allows an authenticated user to crash the server via multiple large requests to one of the Playbooks API endpoints. | |||||
| CVE-2023-5522 | 1 Mattermost | 1 Mattermost | 2023-10-24 | N/A | 4.3 MEDIUM |
| Mattermost Mobile fails to limit the maximum number of Markdown elements in a post allowing an attacker to send a post with hundreds of emojis to a channel and freeze the mobile app of users when viewing that particular channel. | |||||
| CVE-2023-5339 | 1 Mattermost | 1 Mattermost Desktop | 2023-10-24 | N/A | 5.5 MEDIUM |
| Mattermost Desktop fails to set an appropriate log level during initial run after fresh installation resulting in logging all keystrokes including password entry being logged. | |||||
| CVE-2023-5333 | 1 Mattermost | 1 Mattermost Server | 2023-10-12 | N/A | 6.5 MEDIUM |
| Mattermost fails to deduplicate input IDs allowing a simple user to cause the application to consume excessive resources and possibly crash by sending a specially crafted request to /api/v4/users/ids with multiple identical IDs. | |||||
| CVE-2023-5330 | 1 Mattermost | 1 Mattermost Server | 2023-10-12 | N/A | 7.5 HIGH |
| Mattermost fails to enforce a limit for the size of the cache entry for OpenGraph data allowing an attacker to send a specially crafted request to the /api/v4/opengraph filling the cache and turning the server unavailable. | |||||
| CVE-2023-5331 | 1 Mattermost | 1 Mattermost Server | 2023-10-12 | N/A | 5.3 MEDIUM |
| Mattermost fails to properly check the creator of an attached file when adding the file to a draft post, potentially exposing unauthorized file information. | |||||
| CVE-2023-5160 | 1 Mattermost | 1 Mattermost | 2023-10-04 | N/A | 4.3 MEDIUM |
| Mattermost fails to check the Show Full Name option at the /api/v4/teams/TEAM_ID/top/team_members endpoint allowing a member to get the full name of another user even if the Show Full Name option was disabled | |||||
| CVE-2023-5196 | 1 Mattermost | 1 Mattermost | 2023-10-03 | N/A | 6.5 MEDIUM |
| Mattermost fails to enforce character limits in all possible notification props allowing an attacker to send a really long value for a notification_prop resulting in the server consuming an abnormal quantity of computing resources and possibly becoming temporarily unavailable for its users. | |||||