Latest Mattermost Vulnerabilities

Denial of service in mattermost mobile apps and server via emoji reactions
go/github.com/mattermost/mattermost/server/v8>=9.1.0<9.1.5
go/github.com/mattermost/mattermost/server/v8>=9.2.0<9.2.4
go/github.com/mattermost/mattermost/server/v8<8.1.8
Mattermost Mattermost Server<=8.1.7
Mattermost Mattermost Server>=9.0.0<=9.1.4
Mattermost Mattermost Server>=9.2.0<=9.2.3
Incorrect Authorization leads to Channel Member Count Leak
Mattermost Mattermost Server<=8.1.7
go/github.com/mattermost/mattermost/server/v8>=9.0.0<9.3.0
go/github.com/mattermost/mattermost/server/v8<8.1.8
Missing authorization allows users to access arbitrary security levels on Jira through webhooks (Jira Plugin)
go/github.com/mattermost/mattermost-plugin-jira<4.0.0-rc1
Mattermost Mattermost Server<=8.1.7
CSRF issue allows disconnecting a user's Jira connection through a simple post message (Jira Plugin)
Mattermost Mattermost Server<=8.1.7
go/github.com/mattermost/mattermost-plugin-jira<1.1.2-0.20230830170046-f4cf4c6de017
Details of archived public channels are leaked to members of another team
go/github.com/mattermost/mattermost/server/v8<=8.1.0
go/github.com/mattermost/mattermost-server/v6<=7.8.9
Mattermost Mattermost Server<8.1.7
Mattermost Mattermost Server>=9.0.0<9.0.5
Mattermost Mattermost Server>=9.1.0<9.1.4
Mattermost Mattermost Server>=9.2.0<9.2.3
and 4 more
Lack of restriction to manage group names for freshly demoted guests
go/github.com/mattermost/mattermost/server/v8<=8.1.6
Mattermost Mattermost Server<8.1.7
<8.1.7
Keywords that trigger mentions are leaked to other users
go/github.com/mattermost/mattermost-server/v6<=8.1.6
go/github.com/mattermost/mattermost/server/v8<=8.1.6
Mattermost Mattermost Server<8.1.7
<8.1.7
Mattermost version 2.10.0 and earlier fails to sanitize deeplink paths, which allows an attacker to perform CSRF attacks against the server.
Mattermost Mattermost<2.10.1
Mattermost Mattermost<2.10.1
Mattermost version 8.1.6 and earlier fails to sanitize channel mention data in posts, which allows an attacker to inject markup in the web client.
go/github.com/mattermost/mattermost/server/v8<8.1.7
Mattermost Mattermost Server<8.1.7
<8.1.7
Leak Inaccessible Playbook Information via Channel Action IDOR
Mattermost Mattermost Server<=8.1.5
Mattermost Mattermost Server>=9.2.0<=9.2.1
Reflected client side path traversal leading to CSRF in Playbooks
Mattermost Mattermost Server<=7.8.14
Mattermost Mattermost Server>=8.0.0<=8.1.5
Mattermost Mattermost Server>=9.0.0<=9.0.3
Mattermost Mattermost Server>=9.1.1<=9.1.2
Mattermost Mattermost Server>=9.2.0<=9.2.1
Playbooks access/modification by removed team member
Mattermost Mattermost Server<=8.1.5
Mattermost Mattermost Server>=9.2.0<=9.2.1
Playbook plugin crash via missing interface type assertion
Mattermost Mattermost Server<=7.8.14
Mattermost Mattermost Server>=8.0.0<=8.1.5
Mattermost Mattermost Server>=9.0.0<=9.0.3
Mattermost Mattermost Server>=9.1.0<=9.1.2
Mattermost Mattermost Server>=9.2.0<=9.2.1
Mattermost Mattermost Server=9.1.1
Todo plugin gets crashed and disabled by member
Mattermost Mattermost Server<=8.1.5
Mattermost Mattermost Server>=9.0.0<=9.1.0
IDOR when updating the tasks of a private playbook run
Mattermost Mattermost Server<=7.8.14
Mattermost Mattermost Server>=8.0.0<=8.1.5
Mattermost Mattermost Server>=9.0.0<=9.0.3
Mattermost Mattermost Server>=9.1.1<=9.1.2
Mattermost Mattermost Server>=9.2.0<=9.2.1
Playbook Plugin Crash via Run Checklist
Mattermost Mattermost Server<=7.8.14
Mattermost Mattermost Server>=8.0.0<=8.1.5
Mattermost Mattermost Server>=9.0.0<=9.0.3
Mattermost Mattermost Server>=9.1.1<=9.1.2
Mattermost Mattermost Server>=9.2.0<=9.2.1
Public endpoint /metrics of Calls plugin reveals channel IDs
go/github.com/mattermost/mattermost/server/v8<8.1.5
go/github.com/mattermost/mattermost-server/v6<7.8.14
Mattermost Mattermost Server<7.8.14
Mattermost Mattermost Server>=8.0.0<8.1.5
Client side path traversal due to lack of route parameters validation
go/github.com/mattermost/mattermost/server>=9.1.0<9.1.2
go/github.com/mattermost/mattermost/server/v8>=9.0.0<9.0.3
go/github.com/mattermost/mattermost/server/v8<8.1.5
go/github.com/mattermost/mattermost-server/v6<7.8.14
Mattermost Mattermost Server<7.8.14
Mattermost Mattermost Server>=8.0.0<8.1.5
and 2 more
Open redirect in /oauth/<service>/mobile_login?redirect_to=
go/github.com/mattermost/mattermost-server/v6<7.8.13
go/github.com/mattermost/mattermost/server/v8<8.1.4
go/github.com/mattermost/mattermost/server/v8>=9.0.0<9.0.2
go/github.com/mattermost/mattermost/server/v8>=9.1.0<9.1.1
Mattermost Mattermost<=7.8.12
Mattermost Mattermost>=8.0.0<=8.1.3
and 2 more
Insecure Direct Object Reference in /plugins/focalboard/ api/v2/users of Mattermost Boards
go/github.com/mattermost/mattermost-server/v6<7.8.13
go/github.com/mattermost/mattermost/server/v8<8.1.4
go/github.com/mattermost/mattermost/server/v8>=9.0.0<9.0.2
go/github.com/mattermost/mattermost/server/v8>=9.1.0<9.1.1
Mattermost Mattermost<=7.8.12
Mattermost Mattermost>=8.0.0<=8.1.3
Permalink previews displayed for posts in archived channels even if users are disallowed to view archived channels
go/github.com/mattermost/mattermost-server/v6<7.8.13
go/github.com/mattermost/mattermost/server/v8<8.1.4
go/github.com/mattermost/mattermost/server/v8>=9.0.0<9.0.2
go/github.com/mattermost/mattermost/server/v8>=9.1.0<9.1.1
Mattermost Mattermost<=7.8.12
Mattermost Mattermost>=8.0.0<=8.1.3
and 2 more
Log Flooding due to specially crafted requests in different endpoints
Mattermost Mattermost<=7.8.12
Mattermost Mattermost>=8.0.0<=8.1.3
Mattermost Mattermost>=9.0.0<=9.0.1
Mattermost Mattermost=9.1.0
go/github.com/mattermost/mattermost-server/v6<7.8.13
go/github.com/mattermost/mattermost/server/v8<8.1.4
and 2 more
HTML injection via channel autocomplete
go/github.com/mattermost/mattermost-server/v6<7.8.13
go/github.com/mattermost/mattermost/server/v8<8.1.4
Mattermost Mattermost<=7.8.12
Mattermost Mattermost>=8.0.0<=8.1.3
Denial of Service via specially crafted block fields in Mattermost Boards
go/github.com/mattermost/mattermost-server/v6<7.8.13
go/github.com/mattermost/mattermost/server/v8<8.1.4
go/github.com/mattermost/mattermost/server/v8>=9.0.0<9.0.2
go/github.com/mattermost/mattermost/server/v8>=9.1.0<9.1.1
Mattermost Mattermost<=7.8.12
Mattermost Mattermost>=8.0.0<=8.1.3
and 2 more
Denial of Service via Board Import Zip Bomb
go/github.com/mattermost/mattermost-server/v6<7.8.13
go/github.com/mattermost/mattermost/server/v8<8.1.4
go/github.com/mattermost/mattermost/server/v8>=9.0.0<9.0.2
go/github.com/mattermost/mattermost/server/v8>=9.1.0<9.1.1
Mattermost Mattermost<=7.8.12
Mattermost Mattermost>=8.0.0<=8.1.3
and 2 more
Users full name disclosure through Mattermost Boards with Show Full Name Option disabled
go/github.com/mattermost/mattermost-server/v6<7.8.13
go/github.com/mattermost/mattermost/server/v8<8.1.4
Mattermost Mattermost<=7.8.12
Mattermost Mattermost>=8.0.0<=8.1.3
Username and Icon override can be used by members when Hardened Mode is enabled
go/github.com/mattermost/mattermost-server/v6<7.8.13
go/github.com/mattermost/mattermost/server/v8<8.1.4
Mattermost Mattermost<=7.8.12
Mattermost Mattermost>=8.0.0<=8.1.3
Denial of Service via Link Preview in /api/v4/redirect_location
Mattermost Mattermost<=7.8.11
Mattermost Mattermost>=8.0.0<=8.0.3
Mattermost Mattermost>=8.1.0<=8.1.2
Mattermost Mattermost=9.0.0
go/github.com/mattermost/mattermost/server/v8=9.0.0
go/github.com/mattermost/mattermost/server/v8>=8.1.0<8.1.3
and 2 more
Password hash in response body after username update
Mattermost Mattermost<=7.8.11
Mattermost Mattermost>=8.0.0<=8.0.3
Mattermost Mattermost>=8.1.0<=8.1.2
Mattermost Mattermost=9.0.0
go/github.com/mattermost/mattermost/server/v8=9.0.0
go/github.com/mattermost/mattermost/server/v8>=8.1.0<8.1.3
and 2 more
Denial of Service via crashing the Calls Plugin
Mattermost Mattermost<=7.8.11
Mattermost Mattermost>=8.0.0<=8.0.3
Mattermost Mattermost>=8.1.0<=8.1.2
go/github.com/mattermost/mattermost/server/v8=9.0.0
go/github.com/mattermost/mattermost/server/v8>=8.1.0<8.1.3
go/github.com/mattermost/mattermost/server/v8>=8.0.0<8.0.4
and 1 more
Lack Of Secure Keyboard Entry Protection in MacOS Desktop
Mattermost Mattermost Desktop<5.5.1
Apple macOS
Lack of Hardening against media exploitation from a remote origin
Mattermost Mattermost Desktop<5.5.1
Regex DoS from a malicious server enrolled in Desktop
Mattermost Mattermost Desktop<5.5.1
Mattermost Mobile fails to limit the maximum number of Markdown elements in a post allowing an attacker to send a post with hundreds of emojis to a channel and freeze the mobile app of users when view...
Mattermost Mattermost<2.8.0
Mattermost Mattermost<2.8.0
Mattermost Desktop fails to set an appropriate log level during initial run after fresh installation resulting in logging all keystrokes including password entry being logged. 
Mattermost Mattermost Desktop<=5.4.0
Mattermost fails to deduplicate input IDs allowing a simple user to cause the application to consume excessive resources and possibly crash by sending a specially crafted request to /api/v4/users/ids ...
Mattermost Mattermost Server<7.8.11
Mattermost Mattermost Server>=8.0.0<8.0.3
Mattermost Mattermost Server>=8.1.0<8.1.2
Mattermost fails to enforce a limit for the size of the cache entry for OpenGraph data allowing an attacker to send a specially crafted request to the /api/v4/opengraph filling the cache and turning ...
Mattermost Mattermost Server<7.8.11
Mattermost Mattermost Server>=8.0.0<8.0.3
Mattermost Mattermost Server>=8.1.0<8.1.2
Mattermost fails to properly check the creator of an attached file when adding the file to a draft post, potentially exposing unauthorized file information.
Mattermost Mattermost Server<7.8.11
Mattermost Mattermost Server>=8.0.0<8.0.3
Mattermost Mattermost Server>=8.1.0<8.1.2
Mattermost fails to check the Show Full Name option at the /api/v4/teams/TEAM_ID/top/team_members endpoint allowing a member to get the full name of another user even if the Show Full Name option was ...
Mattermost Mattermost>=7.0.0<7.8.10
Mattermost Mattermost>=8.0.0<8.1.1
Mattermost fails to enforce character limits in all possible notification props allowing an attacker to send a really long value for a notification_prop resulting in the server consuming an abnormal q...
Mattermost Mattermost>=7.0.0<7.8.10
Mattermost Mattermost>=8.0.0<8.0.2
Mattermost Mattermost>=8.1.0<8.1.1
go/github.com/mattermost/mattermost-server/v6<7.8.10
go/github.com/mattermost/mattermost/server/v8>=8.0.0<8.0.2
go/github.com/mattermost/mattermost/server/v8=8.1.0
Mattermost fails to properly verify the permissions when managing/updating a bot allowing a User Manager role with user edit permissions to manage/update bots.
go/github.com/mattermost/mattermost-server/v6<7.8.10
go/github.com/mattermost/mattermost/server/v8>=8.0.0<8.0.2
go/github.com/mattermost/mattermost/server/v8=8.1.0
Mattermost Mattermost>=7.0.0<7.8.10
Mattermost Mattermost>=8.0.0<8.1.1
Mattermost fails to properly validate permissions when demoting and deactivating a user allowing for a system/user manager to demote / deactivate another manager
go/github.com/mattermost/mattermost-server/v6<7.8.10
go/github.com/mattermost/mattermost/server/v8>=8.0.0<8.0.2
go/github.com/mattermost/mattermost/server/v8=8.1.0
Mattermost Mattermost>=7.0.0<7.8.10
Mattermost Mattermost>=8.0.0<8.1.1
Mattermost fails to properly validate the permissions when soft deleting a team allowing a team member to soft delete other teams that they are not part of
Mattermost Mattermost>=7.0.0<7.8.10
Mattermost Mattermost>=8.0.0<8.0.2
Mattermost Mattermost>=8.1.0<8.1.1
go/github.com/mattermost/mattermost-server/v6<7.8.10
go/github.com/mattermost/mattermost/server/v8>=8.0.0<8.0.2
go/github.com/mattermost/mattermost/server/v8=8.1.0
Mattermost fails to properly check permissions when retrieving a post allowing for a System Role with the permission to manage channels to read the posts of a DM conversation.
go/github.com/mattermost/mattermost-server/v6<7.8.10
go/github.com/mattermost/mattermost/server/v8>=8.0.0<8.0.2
go/github.com/mattermost/mattermost/server/v8=8.1.0
Mattermost Mattermost>=7.0.0<7.8.10
Mattermost Mattermost>=8.0.0<8.0.2
Mattermost Mattermost>=8.1.0<8.1.1
Mattermost fails to restrict which parameters' values it takes from the request during signup allowing an attacker to register users as inactive, thus blocking them from later accessing Mattermost wit...
Mattermost Mattermost Server<7.8.9
Mattermost Mattermost Server>=7.9.0<7.10.5
Mattermost Mattermost Server=8.0.0
Mattermost fails to sanitize post metadata during audit logging resulting in permalinks contents being logged
Mattermost Mattermost>=7.8.0<7.8.8
Mattermost Mattermost>=7.9.0<7.9.6
Mattermost Mattermost>=7.10.0<7.10.4
go/github.com/mattermost/mattermost-server/v6>=7.10.0<=7.10.3
go/github.com/mattermost/mattermost-server/v6>=7.9.0<=7.9.5
go/github.com/mattermost/mattermost-server/v6<=7.8.7
Mattermost fails to delete the attachments when deleting a message in a thread allowing a simple user to still be able to access and download the attachment of a deleted message
Mattermost Mattermost>=7.8.0<7.8.8
Mattermost Mattermost>=7.9.0<7.9.6
Mattermost Mattermost>=7.10.0<7.10.4
Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin's details such as email, first name and last name. ...
Mattermost Mattermost>=7.8.0<7.8.8
Mattermost Mattermost>=7.9.0<7.9.6
Mattermost Mattermost>=7.10.0<7.10.4
go/github.com/mattermost/mattermost-server/v6>=7.10.0<=7.10.3
go/github.com/mattermost/mattermost-server/v6>=7.9.0<=7.9.5
go/github.com/mattermost/mattermost-server/v6<=7.8.7
Mattermost fails to check if the requesting user is a guest before performing different actions to public playbooks, resulting a guest being able to view, join, edit, export and archive public playboo...
Mattermost Mattermost>=7.8.0<7.8.8
Mattermost Mattermost>=7.9.0<7.9.6
Mattermost Mattermost>=7.10.0<7.10.4
go/github.com/mattermost/mattermost-server/v6<=7.8.7
go/github.com/mattermost/mattermost-server/v6>=7.10.0<=7.10.3
go/github.com/mattermost/mattermost-server/v6>=7.9.0<=7.9.5
Mattermost fails to verify channel membership when linking a board to a channel allowing a low-privileged authenticated user to link a Board to a private channel they don't have access to, 
Mattermost Mattermost Server>=7.8.0<7.8.7
Mattermost Mattermost Server>=7.9.0<7.9.5
Mattermost Mattermost Server>=7.10.0<7.10.3

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203