Filters
Versions
Mattermost MattermostUser creation date manipulation in POST /api/v4/users
5.3
First published (updated )
Mattermost MattermostIDOR when marking read a user's channel
4.3
First published (updated )
Mattermost MattermostServer crash via Elasticsearch certificate file
4.9
First published (updated )
Mattermost MattermostEmail addresses of remote users visible in props regardless of server settings
4.3
First published (updated )
Mattermost MattermostMunged email address used for password resets and notifications
6.5
First published (updated )
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
go/github.com/mattermost/mattermost/server/v8Malicious remote can create arbitrary reactions on arbitrary posts
4.3
First published (updated )
Mattermost MattermostLimited DoS due to permitting creating users with user-defined IDs
6.5
EPSS
0.05%
First published (updated )
Mattermost MattermostCreating posts with user-defined IDs permitted in CreatePost API
5.4
First published (updated )
Mattermost MattermostChannel IDs of archived/restored channels leaked via webhook events
5.3
First published (updated )
Mattermost MattermostLack of permission check when updating the profile picture of a remote user (shared channels enabled)
5.3
First published (updated )
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Mattermost MattermostOpen redirect in /oauth/<service>/mobile_login?redirect_to=
6.1
First published (updated )
go/github.com/mattermost/mattermost/server/v8Insecure Direct Object Reference in /plugins/focalboard/ api/v2/users of Mattermost Boards
4.3
EPSS
0.04%
First published (updated )
Mattermost MattermostPermalink previews displayed for posts in archived channels even if users are disallowed to view archived channels
4.3
First published (updated )
Mattermost MattermostLog Flooding due to specially crafted requests in different endpoints
5.3
First published (updated )
Mattermost MattermostHTML injection via channel autocomplete
5.4
First published (updated )
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Mattermost MattermostUsers full name disclosure through Mattermost Boards with Show Full Name Option disabled
4.3
First published (updated )
Mattermost MattermostUsername and Icon override can be used by members when Hardened Mode is enabled
4.3
First published (updated )
Mattermost MattermostDenial of Service via Link Preview in /api/v4/redirect_location
5.3
EPSS
0.05%
First published (updated )
Mattermost MattermostPassword hash in response body after username update
4.9
EPSS
0.05%
First published (updated )
Mattermost MattermostDenial of Service via crashing the Calls Plugin
4.3
EPSS
0.04%
First published (updated )
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Mattermost MattermostMobile app freezes when receiving a post with hundreds of emojis
4.3
First published (updated )
Mattermost MattermostFull name disclosure via team top membership with Show Full Name option disabled
4.3
First published (updated )
go/github.com/mattermost/mattermost/server/v8A system/user manager can demote / deactivate another manager
4.3
First published (updated )
Mattermost MattermostA team member can soft delete other teams that they are not part of
6.5
First published (updated )
Mattermost MattermostSystem Role with manage posts permission can read posts of Direct Messages
4.9
First published (updated )
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Mattermost MattermostDoS via Channel Notification Properties
6.5
First published (updated )
Mattermost MattermostIncorrect authorization allows a user manager to update a system admin
6.7
First published (updated )
Mattermost MattermostA guest user can perform various actions on public playbooks
6.5
First published (updated )
Mattermost MattermostAttachment of deleted message in a thread remains accessible and downloadable
4.3
First published (updated )
Mattermost MattermostSpecially crafted search query can cause large log entries in postgres
4.3
First published (updated )
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Mattermost MattermostDenial of Service while unescaping a Markdown string
6.5
First published (updated )
Mattermost MattermostPath traversal in GitHub plugin's code preview feature
6.5
First published (updated )
Mattermost MattermostStack exhaustion in PreparePostForClientWithEmbedsAndImages
6.5
First published (updated )
Mattermost MattermostEphemeral messages return private channel contents in permalink previews
6.5
First published (updated )
Mattermost MattermostPlaybooks lets you edit arbitrary posts
4.3
First published (updated )
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Mattermost MattermostDeactivated user can retain access using oauth2 api
6.5
First published (updated )
Mattermost MattermostCollapsed Reply Threads APIs leak message contents from private channels
6.5
First published (updated )
Mattermost MattermostChannel commands execution doesn't properly verify permissions
4.3
First published (updated )
Mattermost MattermostApps Framework allows install requests from regular members via an internal path
6.5
First published (updated )
Mattermost MattermostApp Framework does not checks for the secret provided in the incoming webhook request
4.3
First published (updated )
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Mattermost MattermostLack of URL normalization allows rendering previews for disallowed domains
5.3
First published (updated )
Mattermost MattermostFull name revealed via /plugins/focalboard/api/v2/users
4.3
First published (updated )
Mattermost MattermostIDOR: Accessing playbook runs via the Playbooks Runs API
6.5
First published (updated )
Mattermost MattermostAuthenticated user could send multiple requests containing a parameter which could fetch a large amount of data and can crash a Mattermost server
6.5
First published (updated )
Mattermost MattermostAuthenticated user could send multiple requests containing a large Auto Responder Message payload and can crash a Mattermost server
6.5
First published (updated )
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Mattermost MattermostAuthenticated user could send multiple requests containing a large payload to a Playbooks API and can crash a Mattermost server
6.5
First published (updated )
Mattermost MattermostGuest accounts can list all public channels
4.3
First published (updated )
Mattermost MattermostMalicious imports can lead to Denial of Service
6.5
First published (updated )
Mattermost MattermostHTML Injection while inviting Guests
5.4
First published (updated )
Mattermost MattermostSysadmin can override existing configs & bypass restrictions like EnableUploads
4.9
First published (updated )
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.