Filtered by vendor Mattermost
Subscriptions
Total
346 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-3590 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 3.1 Low |
| Mattermost fails to delete card attachments in Boards, allowing an attacker to access deleted attachments. | ||||
| CVE-2023-3587 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 2.7 Low |
| Mattermost fails to properly show information in the UI, allowing a system admin to modify a board state allowing any user with a valid sharing link to join the board with editor access, without the UI showing the updated permissions. | ||||
| CVE-2023-3586 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 4.2 Medium |
| Mattermost fails to disable public Boards after the "Enable Publicly-Shared Boards" configuration option is disabled, resulting in previously-shared public Boards to remain accessible. | ||||
| CVE-2023-3585 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 4.3 Medium |
| Mattermost Boards fail to properly validate a board link, allowing an attacker to crash a channel by posting a specially crafted boards link. | ||||
| CVE-2023-3584 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 3.1 Low |
| Mattermost fails to properly check the authorization of POST /api/v4/teams when passing a team override scheme ID in the request, allowing an authenticated attacker with knowledge of a Team Override Scheme ID to create a new team with said team override scheme. | ||||
| CVE-2023-3582 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 4.3 Medium |
| Mattermost fails to verify channel membership when linking a board to a channel allowing a low-privileged authenticated user to link a Board to a private channel they don't have access to, | ||||
| CVE-2023-3581 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 6.2 Medium |
| Mattermost fails to properly validate the origin of a websocket connection allowing a MITM attacker on Mattermost to access the websocket APIs. | ||||
| CVE-2023-3577 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 3.5 Low |
| Mattermost fails to properly restrict requests to localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited blind SSRF. | ||||
| CVE-2023-35075 | 1 Mattermost | 1 Mattermost | 2024-11-21 | 3.1 Low |
| Mattermost fails to use innerText / textContent when setting the channel name in the webapp during autocomplete, allowing an attacker to inject HTML to a victim's page by create a channel name that is valid HTML. No XSS is possible though. | ||||
| CVE-2021-37863 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 3.5 Low |
| Mattermost 6.0 and earlier fails to sufficiently validate parameters during post creation, which allows authenticated attackers to cause a client-side crash of the web application via a maliciously crafted post. | ||||
| CVE-2021-37862 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 3.7 Low |
| Mattermost 6.0 and earlier fails to sufficiently validate the email address during registration, which allows attackers to trick users into signing up using attacker-controlled email addresses via crafted invitation token. | ||||
| CVE-2021-37861 | 1 Mattermost | 1 Mattermost | 2024-11-21 | 5.8 Medium |
| Mattermost 6.0.2 and earlier fails to sufficiently sanitize user's password in audit logs when user creation fails. | ||||
| CVE-2021-37860 | 1 Mattermost | 1 Mattermost | 2024-11-21 | 3.7 Low |
| Mattermost 5.38 and earlier fails to sufficiently sanitize clipboard contents, which allows a user-assisted attacker to inject arbitrary web script in product deployments that explicitly disable the default CSP. | ||||
| CVE-2021-37859 | 1 Mattermost | 1 Mattermost | 2024-11-21 | 7.1 High |
| Fixed a bypass for a reflected cross-site scripting vulnerability affecting OAuth-enabled instances of Mattermost. | ||||
| CVE-2020-14460 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 6.5 Medium |
| An issue was discovered in Mattermost Server before 5.19.0, 5.18.1, 5.17.3, 5.16.5, and 5.9.8. Creation of a trusted OAuth application does not always require admin privileges, aka MMSA-2020-0001. | ||||
| CVE-2020-14459 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 7.5 High |
| An issue was discovered in Mattermost Server before 5.19.0. Attackers can rename a channel and cause a collision with a direct message, aka MMSA-2020-0002. | ||||
| CVE-2020-14458 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 7.5 High |
| An issue was discovered in Mattermost Server before 5.19.0. Attackers can discover private channels via the "get channel by name" API, aka MMSA-2020-0004. | ||||
| CVE-2020-14457 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 5.3 Medium |
| An issue was discovered in Mattermost Server before 5.20.0. Non-members can receive broadcasted team details via the update_team WebSocket event, aka MMSA-2020-0012. | ||||
| CVE-2020-14456 | 1 Mattermost | 1 Mattermost Desktop | 2024-11-21 | 7.3 High |
| An issue was discovered in Mattermost Desktop App before 4.4.0. The Same Origin Policy is mishandled during access-control decisions for web APIs, aka MMSA-2020-0006. | ||||
| CVE-2020-14455 | 1 Mattermost | 1 Mattermost Desktop | 2024-11-21 | 6.5 Medium |
| An issue was discovered in Mattermost Desktop App before 4.4.0. Prompting for HTTP Basic Authentication is mishandled, allowing phishing, aka MMSA-2020-0007. | ||||