Latest Mattermost Vulnerabilities

CVE-2024-1402
Denial of service in mattermost mobile apps and server via emoji reactions
go/github.com/mattermost/mattermost/server/v8>=9.1.0<9.1.5
go/github.com/mattermost/mattermost/server/v8>=9.2.0<9.2.4
go/github.com/mattermost/mattermost/server/v8<8.1.8
Mattermost Mattermost Server<=8.1.7
Mattermost Mattermost Server>=9.0.0<=9.1.4
Mattermost Mattermost Server>=9.2.0<=9.2.3
CVE-2024-24776
Incorrect Authorization leads to Channel Member Count Leak
Mattermost Mattermost Server<=8.1.7
go/github.com/mattermost/mattermost/server/v8>=9.0.0<9.3.0
go/github.com/mattermost/mattermost/server/v8<8.1.8
CVE-2024-24774
Missing authorization allows users to access arbitrary security levels on Jira through webhooks (Jira Plugin)
go/github.com/mattermost/mattermost-plugin-jira<4.0.0-rc1
Mattermost Mattermost Server<=8.1.7
CVE-2024-23319
CSRF issue allows disconnecting a user's Jira connection through a simple post message (Jira Plugin)
Mattermost Mattermost Server<=8.1.7
go/github.com/mattermost/mattermost-plugin-jira<1.1.2-0.20230830170046-f4cf4c6de017
CVE-2023-47858
Details of archived public channels are leaked to members of another team
go/github.com/mattermost/mattermost/server/v8<=8.1.0
go/github.com/mattermost/mattermost-server/v6<=7.8.9
Mattermost Mattermost Server<8.1.7
Mattermost Mattermost Server>=9.0.0<9.0.5
Mattermost Mattermost Server>=9.1.0<9.1.4
Mattermost Mattermost Server>=9.2.0<9.2.3
and 4 more
CVE-2023-50333
Lack of restriction to manage group names for freshly demoted guests
go/github.com/mattermost/mattermost/server/v8<=8.1.6
Mattermost Mattermost Server<8.1.7
<8.1.7
CVE-2023-48732
Keywords that trigger mentions are leaked to other users
go/github.com/mattermost/mattermost-server/v6<=8.1.6
go/github.com/mattermost/mattermost/server/v8<=8.1.6
Mattermost Mattermost Server<8.1.7
<8.1.7
CVE-2023-7114
Mattermost version 2.10.0 and earlier fails to sanitize deeplink paths, which allows an attacker to perform CSRF attacks against the server.
Mattermost Mattermost<2.10.1
Mattermost Mattermost<2.10.1
CVE-2023-7113
Mattermost version 8.1.6 and earlier fails to sanitize channel mention data in posts, which allows an attacker to inject markup in the web client.
go/github.com/mattermost/mattermost/server/v8<8.1.7
Mattermost Mattermost Server<8.1.7
<8.1.7
CVE-2023-6727
Leak Inaccessible Playbook Information via Channel Action IDOR
Mattermost Mattermost Server<=8.1.5
Mattermost Mattermost Server>=9.2.0<=9.2.1
CVE-2023-45316
Reflected client side path traversal leading to CSRF in Playbooks
Mattermost Mattermost Server<=7.8.14
Mattermost Mattermost Server>=8.0.0<=8.1.5
Mattermost Mattermost Server>=9.0.0<=9.0.3
Mattermost Mattermost Server>=9.1.1<=9.1.2
Mattermost Mattermost Server>=9.2.0<=9.2.1
CVE-2023-6547
Playbooks access/modification by removed team member
Mattermost Mattermost Server<=8.1.5
Mattermost Mattermost Server>=9.2.0<=9.2.1
CVE-2023-49607
Playbook plugin crash via missing interface type assertion
Mattermost Mattermost Server<=7.8.14
Mattermost Mattermost Server>=8.0.0<=8.1.5
Mattermost Mattermost Server>=9.0.0<=9.0.3
Mattermost Mattermost Server>=9.1.0<=9.1.2
Mattermost Mattermost Server>=9.2.0<=9.2.1
Mattermost Mattermost Server=9.1.1
CVE-2023-49809
Todo plugin gets crashed and disabled by member
Mattermost Mattermost Server<=8.1.5
Mattermost Mattermost Server>=9.0.0<=9.1.0
CVE-2023-49874
IDOR when updating the tasks of a private playbook run
Mattermost Mattermost Server<=7.8.14
Mattermost Mattermost Server>=8.0.0<=8.1.5
Mattermost Mattermost Server>=9.0.0<=9.0.3
Mattermost Mattermost Server>=9.1.1<=9.1.2
Mattermost Mattermost Server>=9.2.0<=9.2.1
CVE-2023-45847
Playbook Plugin Crash via Run Checklist
Mattermost Mattermost Server<=7.8.14
Mattermost Mattermost Server>=8.0.0<=8.1.5
Mattermost Mattermost Server>=9.0.0<=9.0.3
Mattermost Mattermost Server>=9.1.1<=9.1.2
Mattermost Mattermost Server>=9.2.0<=9.2.1
CVE-2023-6459
Public endpoint /metrics of Calls plugin reveals channel IDs
go/github.com/mattermost/mattermost/server/v8<8.1.5
go/github.com/mattermost/mattermost-server/v6<7.8.14
Mattermost Mattermost Server<7.8.14
Mattermost Mattermost Server>=8.0.0<8.1.5
CVE-2023-6458
Client side path traversal due to lack of route parameters validation
go/github.com/mattermost/mattermost/server>=9.1.0<9.1.2
go/github.com/mattermost/mattermost/server/v8>=9.0.0<9.0.3
go/github.com/mattermost/mattermost/server/v8<8.1.5
go/github.com/mattermost/mattermost-server/v6<7.8.14
Mattermost Mattermost Server<7.8.14
Mattermost Mattermost Server>=8.0.0<8.1.5
and 2 more
CVE-2023-47168
Open redirect in /oauth/<service>/mobile_login?redirect_to=
go/github.com/mattermost/mattermost-server/v6<7.8.13
go/github.com/mattermost/mattermost/server/v8<8.1.4
go/github.com/mattermost/mattermost/server/v8>=9.0.0<9.0.2
go/github.com/mattermost/mattermost/server/v8>=9.1.0<9.1.1
Mattermost Mattermost<=7.8.12
Mattermost Mattermost>=8.0.0<=8.1.3
and 2 more
CVE-2023-6202
Insecure Direct Object Reference in /plugins/focalboard/ api/v2/users of Mattermost Boards
go/github.com/mattermost/mattermost-server/v6<7.8.13
go/github.com/mattermost/mattermost/server/v8<8.1.4
go/github.com/mattermost/mattermost/server/v8>=9.0.0<9.0.2
go/github.com/mattermost/mattermost/server/v8>=9.1.0<9.1.1
Mattermost Mattermost<=7.8.12
Mattermost Mattermost>=8.0.0<=8.1.3
CVE-2023-43754
Permalink previews displayed for posts in archived channels even if users are disallowed to view archived channels
go/github.com/mattermost/mattermost-server/v6<7.8.13
go/github.com/mattermost/mattermost/server/v8<8.1.4
go/github.com/mattermost/mattermost/server/v8>=9.0.0<9.0.2
go/github.com/mattermost/mattermost/server/v8>=9.1.0<9.1.1
Mattermost Mattermost<=7.8.12
Mattermost Mattermost>=8.0.0<=8.1.3
and 2 more
CVE-2023-48369
Log Flooding due to specially crafted requests in different endpoints
Mattermost Mattermost<=7.8.12
Mattermost Mattermost>=8.0.0<=8.1.3
Mattermost Mattermost>=9.0.0<=9.0.1
Mattermost Mattermost=9.1.0
go/github.com/mattermost/mattermost-server/v6<7.8.13
go/github.com/mattermost/mattermost/server/v8<8.1.4
and 2 more
CVE-2023-35075
HTML injection via channel autocomplete
go/github.com/mattermost/mattermost-server/v6<7.8.13
go/github.com/mattermost/mattermost/server/v8<8.1.4
Mattermost Mattermost<=7.8.12
Mattermost Mattermost>=8.0.0<=8.1.3
CVE-2023-40703
Denial of Service via specially crafted block fields in Mattermost Boards
go/github.com/mattermost/mattermost-server/v6<7.8.13
go/github.com/mattermost/mattermost/server/v8<8.1.4
go/github.com/mattermost/mattermost/server/v8>=9.0.0<9.0.2
go/github.com/mattermost/mattermost/server/v8>=9.1.0<9.1.1
Mattermost Mattermost<=7.8.12
Mattermost Mattermost>=8.0.0<=8.1.3
and 2 more
CVE-2023-48268
Denial of Service via Board Import Zip Bomb
go/github.com/mattermost/mattermost-server/v6<7.8.13
go/github.com/mattermost/mattermost/server/v8<8.1.4
go/github.com/mattermost/mattermost/server/v8>=9.0.0<9.0.2
go/github.com/mattermost/mattermost/server/v8>=9.1.0<9.1.1
Mattermost Mattermost<=7.8.12
Mattermost Mattermost>=8.0.0<=8.1.3
and 2 more
CVE-2023-45223
Users full name disclosure through Mattermost Boards with Show Full Name Option disabled
go/github.com/mattermost/mattermost-server/v6<7.8.13
go/github.com/mattermost/mattermost/server/v8<8.1.4
Mattermost Mattermost<=7.8.12
Mattermost Mattermost>=8.0.0<=8.1.3
CVE-2023-47865
Username and Icon override can be used by members when Hardened Mode is enabled
go/github.com/mattermost/mattermost-server/v6<7.8.13
go/github.com/mattermost/mattermost/server/v8<8.1.4
Mattermost Mattermost<=7.8.12
Mattermost Mattermost>=8.0.0<=8.1.3
CVE-2023-5969
Denial of Service via Link Preview in /api/v4/redirect_location
Mattermost Mattermost<=7.8.11
Mattermost Mattermost>=8.0.0<=8.0.3
Mattermost Mattermost>=8.1.0<=8.1.2
Mattermost Mattermost=9.0.0
go/github.com/mattermost/mattermost/server/v8=9.0.0
go/github.com/mattermost/mattermost/server/v8>=8.1.0<8.1.3
and 2 more
CVE-2023-5968
Password hash in response body after username update
Mattermost Mattermost<=7.8.11
Mattermost Mattermost>=8.0.0<=8.0.3
Mattermost Mattermost>=8.1.0<=8.1.2
Mattermost Mattermost=9.0.0
go/github.com/mattermost/mattermost/server/v8=9.0.0
go/github.com/mattermost/mattermost/server/v8>=8.1.0<8.1.3
and 2 more
CVE-2023-5967
Denial of Service via crashing the Calls Plugin
Mattermost Mattermost<=7.8.11
Mattermost Mattermost>=8.0.0<=8.0.3
Mattermost Mattermost>=8.1.0<=8.1.2
go/github.com/mattermost/mattermost/server/v8=9.0.0
go/github.com/mattermost/mattermost/server/v8>=8.1.0<8.1.3
go/github.com/mattermost/mattermost/server/v8>=8.0.0<8.0.4
and 1 more
CVE-2023-5920
Lack Of Secure Keyboard Entry Protection in MacOS Desktop
Mattermost Mattermost Desktop<5.5.1
Apple macOS
CVE-2023-5875
Lack of Hardening against media exploitation from a remote origin
Mattermost Mattermost Desktop<5.5.1
CVE-2023-5876
Regex DoS from a malicious server enrolled in Desktop
Mattermost Mattermost Desktop<5.5.1
CVE-2023-5522
Mattermost Mobile fails to limit the maximum number of Markdown elements in a post allowing an attacker to send a post with hundreds of emojis to a channel and freeze the mobile app of users when view...
Mattermost Mattermost<2.8.0
Mattermost Mattermost<2.8.0
CVE-2023-5339
Mattermost Desktop fails to set an appropriate log level during initial run after fresh installation resulting in logging all keystrokes including password entry being logged. 
Mattermost Mattermost Desktop<=5.4.0
CVE-2023-5330
Mattermost fails to enforce a limit for the size of the cache entry for OpenGraph data allowing an attacker to send a specially crafted request to the /api/v4/opengraph filling the cache and turning ...
Mattermost Mattermost Server<7.8.11
Mattermost Mattermost Server>=8.0.0<8.0.3
Mattermost Mattermost Server>=8.1.0<8.1.2
CVE-2023-5331
Mattermost fails to properly check the creator of an attached file when adding the file to a draft post, potentially exposing unauthorized file information.
Mattermost Mattermost Server<7.8.11
Mattermost Mattermost Server>=8.0.0<8.0.3
Mattermost Mattermost Server>=8.1.0<8.1.2
CVE-2023-5333
Mattermost fails to deduplicate input IDs allowing a simple user to cause the application to consume excessive resources and possibly crash by sending a specially crafted request to /api/v4/users/ids ...
Mattermost Mattermost Server<7.8.11
Mattermost Mattermost Server>=8.0.0<8.0.3
Mattermost Mattermost Server>=8.1.0<8.1.2
CVE-2023-5160
Mattermost fails to check the Show Full Name option at the /api/v4/teams/TEAM_ID/top/team_members endpoint allowing a member to get the full name of another user even if the Show Full Name option was ...
Mattermost Mattermost>=7.0.0<7.8.10
Mattermost Mattermost>=8.0.0<8.1.1
CVE-2023-5194
Mattermost fails to properly validate permissions when demoting and deactivating a user allowing for a system/user manager to demote / deactivate another manager
go/github.com/mattermost/mattermost-server/v6<7.8.10
go/github.com/mattermost/mattermost/server/v8>=8.0.0<8.0.2
go/github.com/mattermost/mattermost/server/v8=8.1.0
Mattermost Mattermost>=7.0.0<7.8.10
Mattermost Mattermost>=8.0.0<8.1.1
CVE-2023-5196
Mattermost fails to enforce character limits in all possible notification props allowing an attacker to send a really long value for a notification_prop resulting in the server consuming an abnormal q...
Mattermost Mattermost>=7.0.0<7.8.10
Mattermost Mattermost>=8.0.0<8.0.2
Mattermost Mattermost>=8.1.0<8.1.1
go/github.com/mattermost/mattermost-server/v6<7.8.10
go/github.com/mattermost/mattermost/server/v8>=8.0.0<8.0.2
go/github.com/mattermost/mattermost/server/v8=8.1.0
CVE-2023-5195
Mattermost fails to properly validate the permissions when soft deleting a team allowing a team member to soft delete other teams that they are not part of
Mattermost Mattermost>=7.0.0<7.8.10
Mattermost Mattermost>=8.0.0<8.0.2
Mattermost Mattermost>=8.1.0<8.1.1
go/github.com/mattermost/mattermost-server/v6<7.8.10
go/github.com/mattermost/mattermost/server/v8>=8.0.0<8.0.2
go/github.com/mattermost/mattermost/server/v8=8.1.0
CVE-2023-5193
Mattermost fails to properly check permissions when retrieving a post allowing for a System Role with the permission to manage channels to read the posts of a DM conversation.
go/github.com/mattermost/mattermost-server/v6<7.8.10
go/github.com/mattermost/mattermost/server/v8>=8.0.0<8.0.2
go/github.com/mattermost/mattermost/server/v8=8.1.0
Mattermost Mattermost>=7.0.0<7.8.10
Mattermost Mattermost>=8.0.0<8.0.2
Mattermost Mattermost>=8.1.0<8.1.1
CVE-2023-5159
Mattermost fails to properly verify the permissions when managing/updating a bot allowing a User Manager role with user edit permissions to manage/update bots.
go/github.com/mattermost/mattermost-server/v6<7.8.10
go/github.com/mattermost/mattermost/server/v8>=8.0.0<8.0.2
go/github.com/mattermost/mattermost/server/v8=8.1.0
Mattermost Mattermost>=7.0.0<7.8.10
Mattermost Mattermost>=8.0.0<8.1.1
CVE-2023-4478
Mattermost fails to restrict which parameters' values it takes from the request during signup allowing an attacker to register users as inactive, thus blocking them from later accessing Mattermost wit...
Mattermost Mattermost Server<7.8.9
Mattermost Mattermost Server>=7.9.0<7.10.5
Mattermost Mattermost Server=8.0.0
CVE-2023-4108
Mattermost fails to sanitize post metadata during audit logging resulting in permalinks contents being logged
Mattermost Mattermost>=7.8.0<7.8.8
Mattermost Mattermost>=7.9.0<7.9.6
Mattermost Mattermost>=7.10.0<7.10.4
go/github.com/mattermost/mattermost-server/v6>=7.10.0<=7.10.3
go/github.com/mattermost/mattermost-server/v6>=7.9.0<=7.9.5
go/github.com/mattermost/mattermost-server/v6<=7.8.7
CVE-2023-4107
Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin's details such as email, first name and last name. ...
Mattermost Mattermost>=7.8.0<7.8.8
Mattermost Mattermost>=7.9.0<7.9.6
Mattermost Mattermost>=7.10.0<7.10.4
go/github.com/mattermost/mattermost-server/v6>=7.10.0<=7.10.3
go/github.com/mattermost/mattermost-server/v6>=7.9.0<=7.9.5
go/github.com/mattermost/mattermost-server/v6<=7.8.7
CVE-2023-4106
Mattermost fails to check if the requesting user is a guest before performing different actions to public playbooks, resulting a guest being able to view, join, edit, export and archive public playboo...
Mattermost Mattermost>=7.8.0<7.8.8
Mattermost Mattermost>=7.9.0<7.9.6
Mattermost Mattermost>=7.10.0<7.10.4
go/github.com/mattermost/mattermost-server/v6<=7.8.7
go/github.com/mattermost/mattermost-server/v6>=7.10.0<=7.10.3
go/github.com/mattermost/mattermost-server/v6>=7.9.0<=7.9.5
CVE-2023-4105
Mattermost fails to delete the attachments when deleting a message in a thread allowing a simple user to still be able to access and download the attachment of a deleted message
Mattermost Mattermost>=7.8.0<7.8.8
Mattermost Mattermost>=7.9.0<7.9.6
Mattermost Mattermost>=7.10.0<7.10.4
CVE-2023-3615
Mattermost iOS app fails to properly validate the server certificate while initializing the TLS connection allowing a network attacker to intercept the WebSockets connection.
Mattermost Mattermost<2.5.1

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203