Latest mattermost mattermost Vulnerabilities

CVE-2023-7114
Mattermost version 2.10.0 and earlier fails to sanitize deeplink paths, which allows an attacker to perform CSRF attacks against the server.
Mattermost Mattermost<2.10.1
Mattermost Mattermost<2.10.1
CVE-2023-47168
Open redirect in /oauth/<service>/mobile_login?redirect_to=
go/github.com/mattermost/mattermost-server/v6<7.8.13
go/github.com/mattermost/mattermost/server/v8<8.1.4
go/github.com/mattermost/mattermost/server/v8>=9.0.0<9.0.2
go/github.com/mattermost/mattermost/server/v8>=9.1.0<9.1.1
Mattermost Mattermost<=7.8.12
Mattermost Mattermost>=8.0.0<=8.1.3
and 2 more
CVE-2023-6202
Insecure Direct Object Reference in /plugins/focalboard/ api/v2/users of Mattermost Boards
go/github.com/mattermost/mattermost-server/v6<7.8.13
go/github.com/mattermost/mattermost/server/v8<8.1.4
go/github.com/mattermost/mattermost/server/v8>=9.0.0<9.0.2
go/github.com/mattermost/mattermost/server/v8>=9.1.0<9.1.1
Mattermost Mattermost<=7.8.12
Mattermost Mattermost>=8.0.0<=8.1.3
CVE-2023-43754
Permalink previews displayed for posts in archived channels even if users are disallowed to view archived channels
go/github.com/mattermost/mattermost-server/v6<7.8.13
go/github.com/mattermost/mattermost/server/v8<8.1.4
go/github.com/mattermost/mattermost/server/v8>=9.0.0<9.0.2
go/github.com/mattermost/mattermost/server/v8>=9.1.0<9.1.1
Mattermost Mattermost<=7.8.12
Mattermost Mattermost>=8.0.0<=8.1.3
and 2 more
CVE-2023-48369
Log Flooding due to specially crafted requests in different endpoints
Mattermost Mattermost<=7.8.12
Mattermost Mattermost>=8.0.0<=8.1.3
Mattermost Mattermost>=9.0.0<=9.0.1
Mattermost Mattermost=9.1.0
go/github.com/mattermost/mattermost-server/v6<7.8.13
go/github.com/mattermost/mattermost/server/v8<8.1.4
and 2 more
CVE-2023-35075
HTML injection via channel autocomplete
go/github.com/mattermost/mattermost-server/v6<7.8.13
go/github.com/mattermost/mattermost/server/v8<8.1.4
Mattermost Mattermost<=7.8.12
Mattermost Mattermost>=8.0.0<=8.1.3
CVE-2023-40703
Denial of Service via specially crafted block fields in Mattermost Boards
go/github.com/mattermost/mattermost-server/v6<7.8.13
go/github.com/mattermost/mattermost/server/v8<8.1.4
go/github.com/mattermost/mattermost/server/v8>=9.0.0<9.0.2
go/github.com/mattermost/mattermost/server/v8>=9.1.0<9.1.1
Mattermost Mattermost<=7.8.12
Mattermost Mattermost>=8.0.0<=8.1.3
and 2 more
CVE-2023-48268
Denial of Service via Board Import Zip Bomb
go/github.com/mattermost/mattermost-server/v6<7.8.13
go/github.com/mattermost/mattermost/server/v8<8.1.4
go/github.com/mattermost/mattermost/server/v8>=9.0.0<9.0.2
go/github.com/mattermost/mattermost/server/v8>=9.1.0<9.1.1
Mattermost Mattermost<=7.8.12
Mattermost Mattermost>=8.0.0<=8.1.3
and 2 more
CVE-2023-45223
Users full name disclosure through Mattermost Boards with Show Full Name Option disabled
go/github.com/mattermost/mattermost-server/v6<7.8.13
go/github.com/mattermost/mattermost/server/v8<8.1.4
Mattermost Mattermost<=7.8.12
Mattermost Mattermost>=8.0.0<=8.1.3
CVE-2023-47865
Username and Icon override can be used by members when Hardened Mode is enabled
go/github.com/mattermost/mattermost-server/v6<7.8.13
go/github.com/mattermost/mattermost/server/v8<8.1.4
Mattermost Mattermost<=7.8.12
Mattermost Mattermost>=8.0.0<=8.1.3
CVE-2023-5969
Denial of Service via Link Preview in /api/v4/redirect_location
Mattermost Mattermost<=7.8.11
Mattermost Mattermost>=8.0.0<=8.0.3
Mattermost Mattermost>=8.1.0<=8.1.2
Mattermost Mattermost=9.0.0
go/github.com/mattermost/mattermost/server/v8=9.0.0
go/github.com/mattermost/mattermost/server/v8>=8.1.0<8.1.3
and 2 more
CVE-2023-5968
Password hash in response body after username update
Mattermost Mattermost<=7.8.11
Mattermost Mattermost>=8.0.0<=8.0.3
Mattermost Mattermost>=8.1.0<=8.1.2
Mattermost Mattermost=9.0.0
go/github.com/mattermost/mattermost/server/v8=9.0.0
go/github.com/mattermost/mattermost/server/v8>=8.1.0<8.1.3
and 2 more
CVE-2023-5967
Denial of Service via crashing the Calls Plugin
Mattermost Mattermost<=7.8.11
Mattermost Mattermost>=8.0.0<=8.0.3
Mattermost Mattermost>=8.1.0<=8.1.2
go/github.com/mattermost/mattermost/server/v8=9.0.0
go/github.com/mattermost/mattermost/server/v8>=8.1.0<8.1.3
go/github.com/mattermost/mattermost/server/v8>=8.0.0<8.0.4
and 1 more
CVE-2023-5522
Mattermost Mobile fails to limit the maximum number of Markdown elements in a post allowing an attacker to send a post with hundreds of emojis to a channel and freeze the mobile app of users when view...
Mattermost Mattermost<2.8.0
Mattermost Mattermost<2.8.0
CVE-2023-5160
Mattermost fails to check the Show Full Name option at the /api/v4/teams/TEAM_ID/top/team_members endpoint allowing a member to get the full name of another user even if the Show Full Name option was ...
Mattermost Mattermost>=7.0.0<7.8.10
Mattermost Mattermost>=8.0.0<8.1.1
CVE-2023-5195
Mattermost fails to properly validate the permissions when soft deleting a team allowing a team member to soft delete other teams that they are not part of
Mattermost Mattermost>=7.0.0<7.8.10
Mattermost Mattermost>=8.0.0<8.0.2
Mattermost Mattermost>=8.1.0<8.1.1
go/github.com/mattermost/mattermost-server/v6<7.8.10
go/github.com/mattermost/mattermost/server/v8>=8.0.0<8.0.2
go/github.com/mattermost/mattermost/server/v8=8.1.0
CVE-2023-5193
Mattermost fails to properly check permissions when retrieving a post allowing for a System Role with the permission to manage channels to read the posts of a DM conversation.
go/github.com/mattermost/mattermost-server/v6<7.8.10
go/github.com/mattermost/mattermost/server/v8>=8.0.0<8.0.2
go/github.com/mattermost/mattermost/server/v8=8.1.0
Mattermost Mattermost>=7.0.0<7.8.10
Mattermost Mattermost>=8.0.0<8.0.2
Mattermost Mattermost>=8.1.0<8.1.1
CVE-2023-5194
Mattermost fails to properly validate permissions when demoting and deactivating a user allowing for a system/user manager to demote / deactivate another manager
go/github.com/mattermost/mattermost-server/v6<7.8.10
go/github.com/mattermost/mattermost/server/v8>=8.0.0<8.0.2
go/github.com/mattermost/mattermost/server/v8=8.1.0
Mattermost Mattermost>=7.0.0<7.8.10
Mattermost Mattermost>=8.0.0<8.1.1
CVE-2023-5159
Mattermost fails to properly verify the permissions when managing/updating a bot allowing a User Manager role with user edit permissions to manage/update bots.
go/github.com/mattermost/mattermost-server/v6<7.8.10
go/github.com/mattermost/mattermost/server/v8>=8.0.0<8.0.2
go/github.com/mattermost/mattermost/server/v8=8.1.0
Mattermost Mattermost>=7.0.0<7.8.10
Mattermost Mattermost>=8.0.0<8.1.1
CVE-2023-5196
Mattermost fails to enforce character limits in all possible notification props allowing an attacker to send a really long value for a notification_prop resulting in the server consuming an abnormal q...
Mattermost Mattermost>=7.0.0<7.8.10
Mattermost Mattermost>=8.0.0<8.0.2
Mattermost Mattermost>=8.1.0<8.1.1
go/github.com/mattermost/mattermost-server/v6<7.8.10
go/github.com/mattermost/mattermost/server/v8>=8.0.0<8.0.2
go/github.com/mattermost/mattermost/server/v8=8.1.0
CVE-2023-4108
Mattermost fails to sanitize post metadata during audit logging resulting in permalinks contents being logged
Mattermost Mattermost>=7.8.0<7.8.8
Mattermost Mattermost>=7.9.0<7.9.6
Mattermost Mattermost>=7.10.0<7.10.4
go/github.com/mattermost/mattermost-server/v6>=7.10.0<=7.10.3
go/github.com/mattermost/mattermost-server/v6>=7.9.0<=7.9.5
go/github.com/mattermost/mattermost-server/v6<=7.8.7
CVE-2023-4105
Mattermost fails to delete the attachments when deleting a message in a thread allowing a simple user to still be able to access and download the attachment of a deleted message
Mattermost Mattermost>=7.8.0<7.8.8
Mattermost Mattermost>=7.9.0<7.9.6
Mattermost Mattermost>=7.10.0<7.10.4
CVE-2023-4107
Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin's details such as email, first name and last name. ...
Mattermost Mattermost>=7.8.0<7.8.8
Mattermost Mattermost>=7.9.0<7.9.6
Mattermost Mattermost>=7.10.0<7.10.4
go/github.com/mattermost/mattermost-server/v6>=7.10.0<=7.10.3
go/github.com/mattermost/mattermost-server/v6>=7.9.0<=7.9.5
go/github.com/mattermost/mattermost-server/v6<=7.8.7
CVE-2023-4106
Mattermost fails to check if the requesting user is a guest before performing different actions to public playbooks, resulting a guest being able to view, join, edit, export and archive public playboo...
Mattermost Mattermost>=7.8.0<7.8.8
Mattermost Mattermost>=7.9.0<7.9.6
Mattermost Mattermost>=7.10.0<7.10.4
go/github.com/mattermost/mattermost-server/v6<=7.8.7
go/github.com/mattermost/mattermost-server/v6>=7.10.0<=7.10.3
go/github.com/mattermost/mattermost-server/v6>=7.9.0<=7.9.5
CVE-2023-3615
Mattermost iOS app fails to properly validate the server certificate while initializing the TLS connection allowing a network attacker to intercept the WebSockets connection.
Mattermost Mattermost<2.5.1
CVE-2023-2793
Mattermost Mattermost>=7.8.0<=7.8.3
Mattermost Mattermost>=7.9.0<=7.9.2
Mattermost Mattermost=7.10.0
CVE-2023-2785
Mattermost fails to properly truncate the postgres error log message of a search query failure allowing an attacker to cause the creation of large log files which can result in Denial of Service
Mattermost Mattermost>=7.1.0<=7.1.9
Mattermost Mattermost>=7.8.0<=7.8.4
Mattermost Mattermost>=7.9.0<=7.9.3
Mattermost Mattermost=7.10.0
CVE-2023-2797
Mattermost fails to sanitize code permalinks, allowing an attacker to preview code from private repositories by posting a specially crafted permalink on a channel.
Mattermost Mattermost>=7.1.0<=7.1.9
Mattermost Mattermost>=7.8.0<=7.8.4
Mattermost Mattermost=7.10.0
CVE-2023-2792
Mattermost fails to sanitize ephemeral error messages, allowing an attacker to obtain arbitrary message contents by a specially crafted /groupmsg command.
Mattermost Mattermost>=7.1.0<=7.1.9
Mattermost Mattermost>=7.8.0<=7.8.4
Mattermost Mattermost>=7.9.0<=7.9.3
Mattermost Mattermost=7.10.0
CVE-2023-2831
Mattermost fails to unescape Markdown strings in a memory-efficient way, allowing an attacker to cause a Denial of Service by sending a message containing a large number of escaped characters.
Mattermost Mattermost>=7.1.0<=7.1.9
Mattermost Mattermost>=7.8.0<=7.8.4
Mattermost Mattermost>=7.9.0<=7.9.3
Mattermost Mattermost=7.10.0
CVE-2023-2791
When creating a playbook run via the /dialog API, Mattermost fails to validate all parameters, allowing an authenticated attacker to edit an arbitrary channel post.
Mattermost Mattermost>=7.7.0<=7.7.3
Mattermost Mattermost>=7.8.0<=7.8.2
Mattermost Mattermost>=7.9.0<=7.9.1
Mattermost Mattermost=7.10.0
CVE-2023-2783
Mattermost Apps Framework fails to verify that a secret provided in the incoming webhook request allowing an attacker to modify the contents of the post sent by the Apps.
Mattermost Mattermost>=7.8.0<=7.8.4
Mattermost Mattermost>=7.9.0<=7.9.3
Mattermost Mattermost=7.10.0
CVE-2023-2786
Mattermost fails to properly check the permissions when executing commands allowing a member with no permissions to post a message in a channel to actually post it by executing channel commands.
Mattermost Mattermost>=7.1.0<=7.1.9
Mattermost Mattermost>=7.8.0<=7.8.4
Mattermost Mattermost>=7.9.0<=7.9.3
Mattermost Mattermost=7.10.0
CVE-2023-2787
Mattermost fails to check channel membership when accessing message threads, allowing an attacker to access arbitrary posts by using the message threads API.
Mattermost Mattermost>=7.1.0<=7.1.9
Mattermost Mattermost>=7.8.0<=7.8.4
Mattermost Mattermost>=7.9.0<=7.9.3
Mattermost Mattermost=7.10.0
CVE-2023-2788
Mattermost Mattermost>=7.1.0<=7.1.9
Mattermost Mattermost>=7.8.0<=7.8.4
Mattermost Mattermost>=7.9.0<=7.9.3
Mattermost Mattermost=7.10.0
CVE-2023-2808
Mattermost fails to normalize UTF confusable characters when determining if a preview should be generated for a hyperlink, allowing an attacker to trigger link preview on a disallowed domain using a s...
Mattermost Mattermost>=5.34.0<7.1.9
Mattermost Mattermost>=7.2.0<7.8.4
Mattermost Mattermost>=7.9.0<7.9.3
CVE-2023-2193
Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker possessing an authorization code to generate an access token.
Mattermost Mattermost=7.1.7
Mattermost Mattermost=7.7.3
Mattermost Mattermost=7.8.2
Mattermost Mattermost=7.9.1
CVE-2023-1562
Mattermost fails to check the "Show Full Name" setting when rendering the result for the /plugins/focalboard/api/v2/users API call, allowing an attacker to learn the full name of a board owner.
Mattermost Mattermost<7.5.0
CVE-2023-27263
A missing permissions check in the /plugins/playbooks/api/v0/runs API in Mattermost allows an attacker to list and view playbooks belonging to a team they are not a member of.
Mattermost Mattermost<=7.1.4
Mattermost Mattermost=7.4.0
Mattermost Mattermost=7.5.0
Mattermost Mattermost=7.5.1
CVE-2023-27264
A missing permissions check in Mattermost Playbooks in Mattermost allows an attacker to modify a playbook via the /plugins/playbooks/api/v0/playbooks/[playbookID] API.
Mattermost Mattermost<=7.1.4
Mattermost Mattermost=7.4.0
Mattermost Mattermost=7.5.0
Mattermost Mattermost=7.5.1
CVE-2022-4045
A denial-of-service vulnerability in the Mattermost allows an authenticated user to crash the server via multiple requests to one of the API endpoints which could fetch a large amount of data.
Mattermost Mattermost
CVE-2022-4019
A denial-of-service vulnerability in the Mattermost Playbooks plugin allows an authenticated user to crash the server via multiple large requests to one of the Playbooks API endpoints.
Mattermost Mattermost
CVE-2022-4044
A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large autoresponder messages.
Mattermost Mattermost<7.4
CVE-2022-2408
The Guest account feature in Mattermost version 6.7.0 and earlier fails to properly restrict the permissions, which allows a guest user to fetch a list of all public channels in the team, in spite of ...
Mattermost Mattermost<6.3.8
Mattermost Mattermost>=6.4.0<=6.5.1
Mattermost Mattermost=6.6.0
Mattermost Mattermost=6.6.1
Mattermost Mattermost=6.7.0
CVE-2022-1003
One of the API in Mattermost version 6.3.0 and earlier fails to properly protect the permissions, which allows the system administrators to combine the two distinct privileges/capabilities in a way th...
Mattermost Mattermost<6.4.0
CVE-2022-1002
Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, which allows registered users with special permissions to invite guest users to in...
Mattermost Mattermost<6.4.0
CVE-2022-0708
Mattermost 6.3.0 and earlier fails to protect email addresses of the creator of the team via one of the APIs, which allows authenticated team members to access this information resulting in sensitive ...
Mattermost Mattermost<=6.3.0
CVE-2021-37865
Mattermost 6.2 and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which allows authenticated users to cause resource exhaustion while ...
Mattermost Mattermost<=6.2.0
CVE-2021-37861
Mattermost 6.0.2 and earlier fails to sufficiently sanitize user's password in audit logs when user creation fails.
Mattermost Mattermost<=6.0.2
CVE-2020-13891
An issue was discovered in Mattermost Mobile Apps before 1.31.2 on iOS. Unintended third-party servers could sometimes obtain authorization tokens, aka MMSA-2020-0022.
Mattermost Mattermost<1.31.2

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203