Latest Mattermost Vulnerabilities

CVE-2024-39767
Spoofed push notifications from malicious server
Mattermost Mattermost Mobile<2.17.0
CVE-2024-32945
LaTeX post content manipulation via renderer state leak across contexts
Mattermost Mattermost Mobile<2.17.0
CVE-2024-6428
Limited DoS due to permitting creating users with user-defined IDs
Mattermost Mattermost>=9.5.0<9.5.6
Mattermost Mattermost>=9.6.0<9.6.3
Mattermost Mattermost>=9.7.0<9.7.5
Mattermost Mattermost>=9.8.0<9.8.1
CVE-2024-39353
RemoteClusterFrame payloads are audit logged in full
Mattermost Mattermost>=9.5.0<9.5.6
Mattermost Mattermost=9.8.0
CVE-2024-39361
Creating posts with user-defined IDs permitted in CreatePost API
Mattermost Mattermost>=9.5.0<9.5.6
Mattermost Mattermost>=9.6.0<9.6.3
Mattermost Mattermost>=9.7.0<9.7.4
Mattermost Mattermost>=9.8.0<9.8.1
CVE-2024-39830
Timing attack during remote cluster token comparison when shared channels are enabled
Mattermost Mattermost>=9.5.0<9.5.6
Mattermost Mattermost>=9.6.0<9.6.3
Mattermost Mattermost>=9.7.0<9.7.5
Mattermost Mattermost>=9.8.0<9.8.1
CVE-2024-39807
Channel IDs of archived/restored channels leaked via webhook events
Mattermost Mattermost>=9.5.0<9.5.6
Mattermost Mattermost>=9.8.0<9.8.1
CVE-2024-36257
Lack of permission check when updating the profile picture of a remote user (shared channels enabled)
Mattermost Mattermost>=9.5.0<9.5.6
Mattermost Mattermost=9.8.0
CVE-2024-1402
Denial of service in mattermost mobile apps and server via emoji reactions
go/github.com/mattermost/mattermost/server/v8>=9.1.0<9.1.5
go/github.com/mattermost/mattermost/server/v8>=9.2.0<9.2.4
go/github.com/mattermost/mattermost/server/v8<8.1.8
Mattermost Mattermost Server<=8.1.7
Mattermost Mattermost Server>=9.0.0<=9.1.4
Mattermost Mattermost Server>=9.2.0<=9.2.3
CVE-2024-24776
Incorrect Authorization leads to Channel Member Count Leak
Mattermost Mattermost Server<=8.1.7
go/github.com/mattermost/mattermost/server/v8>=9.0.0<9.3.0
go/github.com/mattermost/mattermost/server/v8<8.1.8
CVE-2024-24774
Missing authorization allows users to access arbitrary security levels on Jira through webhooks (Jira Plugin)
go/github.com/mattermost/mattermost-plugin-jira<4.0.0-rc1
Mattermost Mattermost Server<=8.1.7
CVE-2024-23319
CSRF issue allows disconnecting a user's Jira connection through a simple post message (Jira Plugin)
Mattermost Mattermost Server<=8.1.7
go/github.com/mattermost/mattermost-plugin-jira<1.1.2-0.20230830170046-f4cf4c6de017
CVE-2023-47858
Details of archived public channels are leaked to members of another team
go/github.com/mattermost/mattermost/server/v8<=8.1.0
go/github.com/mattermost/mattermost-server/v6<=7.8.9
Mattermost Mattermost Server<8.1.7
Mattermost Mattermost Server>=9.0.0<9.0.5
Mattermost Mattermost Server>=9.1.0<9.1.4
Mattermost Mattermost Server>=9.2.0<9.2.3
and 4 more
CVE-2023-50333
Lack of restriction to manage group names for freshly demoted guests
go/github.com/mattermost/mattermost/server/v8<=8.1.6
Mattermost Mattermost Server<8.1.7
<8.1.7
CVE-2023-48732
Keywords that trigger mentions are leaked to other users
go/github.com/mattermost/mattermost-server/v6<=8.1.6
go/github.com/mattermost/mattermost/server/v8<=8.1.6
Mattermost Mattermost Server<8.1.7
<8.1.7
CVE-2023-7114
Mattermost version 2.10.0 and earlier fails to sanitize deeplink paths, which allows an attacker to perform CSRF attacks against the server.
Mattermost Mattermost<2.10.1
Mattermost Mattermost<2.10.1
CVE-2023-7113
Mattermost version 8.1.6 and earlier fails to sanitize channel mention data in posts, which allows an attacker to inject markup in the web client.
go/github.com/mattermost/mattermost/server/v8<8.1.7
Mattermost Mattermost Server<8.1.7
<8.1.7
CVE-2023-6727
Leak Inaccessible Playbook Information via Channel Action IDOR
Mattermost Mattermost Server<=8.1.5
Mattermost Mattermost Server>=9.2.0<=9.2.1
CVE-2023-45316
Reflected client side path traversal leading to CSRF in Playbooks
Mattermost Mattermost Server<=7.8.14
Mattermost Mattermost Server>=8.0.0<=8.1.5
Mattermost Mattermost Server>=9.0.0<=9.0.3
Mattermost Mattermost Server>=9.1.1<=9.1.2
Mattermost Mattermost Server>=9.2.0<=9.2.1
CVE-2023-6547
Playbooks access/modification by removed team member
Mattermost Mattermost Server<=8.1.5
Mattermost Mattermost Server>=9.2.0<=9.2.1
CVE-2023-49607
Playbook plugin crash via missing interface type assertion
Mattermost Mattermost Server<=7.8.14
Mattermost Mattermost Server>=8.0.0<=8.1.5
Mattermost Mattermost Server>=9.0.0<=9.0.3
Mattermost Mattermost Server>=9.1.0<=9.1.2
Mattermost Mattermost Server>=9.2.0<=9.2.1
Mattermost Mattermost Server=9.1.1
CVE-2023-49809
Todo plugin gets crashed and disabled by member
Mattermost Mattermost Server<=8.1.5
Mattermost Mattermost Server>=9.0.0<=9.1.0
CVE-2023-46701
Inaccessible Post Information Leak via Run Timeline IDOR
Mattermost Mattermost Server<=7.8.14
Mattermost Mattermost Server>=8.0.0<=8.1.5
Mattermost Mattermost Server>=9.0.0<=9.0.3
Mattermost Mattermost Server>=9.1.1<=9.1.2
Mattermost Mattermost Server>=9.2.0<=9.2.1
CVE-2023-49874
IDOR when updating the tasks of a private playbook run
Mattermost Mattermost Server<=7.8.14
Mattermost Mattermost Server>=8.0.0<=8.1.5
Mattermost Mattermost Server>=9.0.0<=9.0.3
Mattermost Mattermost Server>=9.1.1<=9.1.2
Mattermost Mattermost Server>=9.2.0<=9.2.1
CVE-2023-45847
Playbook Plugin Crash via Run Checklist
Mattermost Mattermost Server<=7.8.14
Mattermost Mattermost Server>=8.0.0<=8.1.5
Mattermost Mattermost Server>=9.0.0<=9.0.3
Mattermost Mattermost Server>=9.1.1<=9.1.2
Mattermost Mattermost Server>=9.2.0<=9.2.1
CVE-2023-6459
Public endpoint /metrics of Calls plugin reveals channel IDs
go/github.com/mattermost/mattermost/server/v8<8.1.5
go/github.com/mattermost/mattermost-server/v6<7.8.14
Mattermost Mattermost Server<7.8.14
Mattermost Mattermost Server>=8.0.0<8.1.5
CVE-2023-6458
Client side path traversal due to lack of route parameters validation
go/github.com/mattermost/mattermost/server>=9.1.0<9.1.2
go/github.com/mattermost/mattermost/server/v8>=9.0.0<9.0.3
go/github.com/mattermost/mattermost/server/v8<8.1.5
go/github.com/mattermost/mattermost-server/v6<7.8.14
Mattermost Mattermost Server<7.8.14
Mattermost Mattermost Server>=8.0.0<8.1.5
and 2 more
CVE-2023-47168
Open redirect in /oauth/<service>/mobile_login?redirect_to=
go/github.com/mattermost/mattermost-server/v6<7.8.13
go/github.com/mattermost/mattermost/server/v8<8.1.4
go/github.com/mattermost/mattermost/server/v8>=9.0.0<9.0.2
go/github.com/mattermost/mattermost/server/v8>=9.1.0<9.1.1
Mattermost Mattermost<=7.8.12
Mattermost Mattermost>=8.0.0<=8.1.3
and 2 more
CVE-2023-6202
Insecure Direct Object Reference in /plugins/focalboard/ api/v2/users of Mattermost Boards
go/github.com/mattermost/mattermost-server/v6<7.8.13
go/github.com/mattermost/mattermost/server/v8<8.1.4
go/github.com/mattermost/mattermost/server/v8>=9.0.0<9.0.2
go/github.com/mattermost/mattermost/server/v8>=9.1.0<9.1.1
Mattermost Mattermost<=7.8.12
Mattermost Mattermost>=8.0.0<=8.1.3
CVE-2023-43754
Permalink previews displayed for posts in archived channels even if users are disallowed to view archived channels
go/github.com/mattermost/mattermost-server/v6<7.8.13
go/github.com/mattermost/mattermost/server/v8<8.1.4
go/github.com/mattermost/mattermost/server/v8>=9.0.0<9.0.2
go/github.com/mattermost/mattermost/server/v8>=9.1.0<9.1.1
Mattermost Mattermost<=7.8.12
Mattermost Mattermost>=8.0.0<=8.1.3
and 2 more
CVE-2023-48369
Log Flooding due to specially crafted requests in different endpoints
Mattermost Mattermost<=7.8.12
Mattermost Mattermost>=8.0.0<=8.1.3
Mattermost Mattermost>=9.0.0<=9.0.1
Mattermost Mattermost=9.1.0
go/github.com/mattermost/mattermost-server/v6<7.8.13
go/github.com/mattermost/mattermost/server/v8<8.1.4
and 2 more
CVE-2023-35075
HTML injection via channel autocomplete
go/github.com/mattermost/mattermost-server/v6<7.8.13
go/github.com/mattermost/mattermost/server/v8<8.1.4
Mattermost Mattermost<=7.8.12
Mattermost Mattermost>=8.0.0<=8.1.3
CVE-2023-40703
Denial of Service via specially crafted block fields in Mattermost Boards
go/github.com/mattermost/mattermost-server/v6<7.8.13
go/github.com/mattermost/mattermost/server/v8<8.1.4
go/github.com/mattermost/mattermost/server/v8>=9.0.0<9.0.2
go/github.com/mattermost/mattermost/server/v8>=9.1.0<9.1.1
Mattermost Mattermost<=7.8.12
Mattermost Mattermost>=8.0.0<=8.1.3
and 2 more
CVE-2023-48268
Denial of Service via Board Import Zip Bomb
go/github.com/mattermost/mattermost-server/v6<7.8.13
go/github.com/mattermost/mattermost/server/v8<8.1.4
go/github.com/mattermost/mattermost/server/v8>=9.0.0<9.0.2
go/github.com/mattermost/mattermost/server/v8>=9.1.0<9.1.1
Mattermost Mattermost<=7.8.12
Mattermost Mattermost>=8.0.0<=8.1.3
and 2 more
CVE-2023-45223
Users full name disclosure through Mattermost Boards with Show Full Name Option disabled
go/github.com/mattermost/mattermost-server/v6<7.8.13
go/github.com/mattermost/mattermost/server/v8<8.1.4
Mattermost Mattermost<=7.8.12
Mattermost Mattermost>=8.0.0<=8.1.3
CVE-2023-47865
Username and Icon override can be used by members when Hardened Mode is enabled
go/github.com/mattermost/mattermost-server/v6<7.8.13
go/github.com/mattermost/mattermost/server/v8<8.1.4
Mattermost Mattermost<=7.8.12
Mattermost Mattermost>=8.0.0<=8.1.3
CVE-2023-5969
Denial of Service via Link Preview in /api/v4/redirect_location
Mattermost Mattermost<=7.8.11
Mattermost Mattermost>=8.0.0<=8.0.3
Mattermost Mattermost>=8.1.0<=8.1.2
Mattermost Mattermost=9.0.0
go/github.com/mattermost/mattermost/server/v8=9.0.0
go/github.com/mattermost/mattermost/server/v8>=8.1.0<8.1.3
and 2 more
CVE-2023-5968
Password hash in response body after username update
Mattermost Mattermost<=7.8.11
Mattermost Mattermost>=8.0.0<=8.0.3
Mattermost Mattermost>=8.1.0<=8.1.2
Mattermost Mattermost=9.0.0
go/github.com/mattermost/mattermost/server/v8=9.0.0
go/github.com/mattermost/mattermost/server/v8>=8.1.0<8.1.3
and 2 more
CVE-2023-5967
Denial of Service via crashing the Calls Plugin
Mattermost Mattermost<=7.8.11
Mattermost Mattermost>=8.0.0<=8.0.3
Mattermost Mattermost>=8.1.0<=8.1.2
go/github.com/mattermost/mattermost/server/v8=9.0.0
go/github.com/mattermost/mattermost/server/v8>=8.1.0<8.1.3
go/github.com/mattermost/mattermost/server/v8>=8.0.0<8.0.4
and 1 more
CVE-2023-5920
Lack Of Secure Keyboard Entry Protection in MacOS Desktop
Mattermost Mattermost Desktop<5.5.1
Apple macOS
CVE-2023-5875
Lack of Hardening against media exploitation from a remote origin
Mattermost Mattermost Desktop<5.5.1
CVE-2023-5876
Regex DoS from a malicious server enrolled in Desktop
Mattermost Mattermost Desktop<5.5.1
CVE-2023-5522
Mattermost Mobile fails to limit the maximum number of Markdown elements in a post allowing an attacker to send a post with hundreds of emojis to a channel and freeze the mobile app of users when view...
Mattermost Mattermost<2.8.0
Mattermost Mattermost<2.8.0
CVE-2023-5339
Mattermost Desktop fails to set an appropriate log level during initial run after fresh installation resulting in logging all keystrokes including password entry being logged. 
Mattermost Mattermost Desktop<=5.4.0
CVE-2023-5330
Mattermost fails to enforce a limit for the size of the cache entry for OpenGraph data allowing an attacker to send a specially crafted request to the /api/v4/opengraph filling the cache and turning ...
Mattermost Mattermost Server<7.8.11
Mattermost Mattermost Server>=8.0.0<8.0.3
Mattermost Mattermost Server>=8.1.0<8.1.2
CVE-2023-5333
Mattermost fails to deduplicate input IDs allowing a simple user to cause the application to consume excessive resources and possibly crash by sending a specially crafted request to /api/v4/users/ids ...
Mattermost Mattermost Server<7.8.11
Mattermost Mattermost Server>=8.0.0<8.0.3
Mattermost Mattermost Server>=8.1.0<8.1.2
CVE-2023-5331
Mattermost fails to properly check the creator of an attached file when adding the file to a draft post, potentially exposing unauthorized file information.
Mattermost Mattermost Server<7.8.11
Mattermost Mattermost Server>=8.0.0<8.0.3
Mattermost Mattermost Server>=8.1.0<8.1.2
CVE-2023-5160
Mattermost fails to check the Show Full Name option at the /api/v4/teams/TEAM_ID/top/team_members endpoint allowing a member to get the full name of another user even if the Show Full Name option was ...
Mattermost Mattermost>=7.0.0<7.8.10
Mattermost Mattermost>=8.0.0<8.1.1
CVE-2023-5194
Mattermost fails to properly validate permissions when demoting and deactivating a user allowing for a system/user manager to demote / deactivate another manager
go/github.com/mattermost/mattermost-server/v6<7.8.10
go/github.com/mattermost/mattermost/server/v8>=8.0.0<8.0.2
go/github.com/mattermost/mattermost/server/v8=8.1.0
Mattermost Mattermost>=7.0.0<7.8.10
Mattermost Mattermost>=8.0.0<8.1.1
CVE-2023-5159
Mattermost fails to properly verify the permissions when managing/updating a bot allowing a User Manager role with user edit permissions to manage/update bots.
go/github.com/mattermost/mattermost-server/v6<7.8.10
go/github.com/mattermost/mattermost/server/v8>=8.0.0<8.0.2
go/github.com/mattermost/mattermost/server/v8=8.1.0
Mattermost Mattermost>=7.0.0<7.8.10
Mattermost Mattermost>=8.0.0<8.1.1

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203