Filtered by vendor Mattermost
Subscribe
Total
345 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-6459 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | N/A | 5.3 MEDIUM |
Mattermost is grouping calls in the /metrics endpoint by id and reports that id in the response. Since this id is the channelID, the public /metrics endpoint is revealing channelIDs. | |||||
CVE-2023-6458 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | N/A | 7.1 HIGH |
Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perform a client-side path traversal. | |||||
CVE-2023-6202 | 1 Mattermost | 1 Mattermost | 2024-11-21 | N/A | 4.3 MEDIUM |
Mattermost fails to perform proper authorization in the /plugins/focalboard/api/v2/users endpoint allowing an attacker who is a guest user and knows the ID of another user to get their information (e.g. name, surname, nickname) via Mattermost Boards. | |||||
CVE-2023-5969 | 1 Mattermost | 1 Mattermost | 2024-11-21 | N/A | 5.3 MEDIUM |
Mattermost fails to properly sanitize the request to /api/v4/redirect_location allowing an attacker, sending a specially crafted request to /api/v4/redirect_location, to fill up the memory due to caching large items. | |||||
CVE-2023-5968 | 1 Mattermost | 1 Mattermost | 2024-11-21 | N/A | 4.9 MEDIUM |
Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body. | |||||
CVE-2023-5967 | 1 Mattermost | 1 Mattermost | 2024-11-21 | N/A | 4.3 MEDIUM |
Mattermost fails to properly validate requests to the Calls plugin, allowing an attacker sending a request without a User Agent header to cause a panic and crash the Calls plugin | |||||
CVE-2023-5920 | 2 Apple, Mattermost | 2 Macos, Mattermost Desktop | 2024-11-21 | N/A | 2.9 LOW |
Mattermost Desktop for MacOS fails to utilize the secure keyboard input functionality provided by macOS, allowing for other processes to read the keyboard input. | |||||
CVE-2023-5876 | 1 Mattermost | 1 Mattermost Desktop | 2024-11-21 | N/A | 3.1 LOW |
Mattermost fails to properly validate a RegExp built off the server URL path, allowing an attacker in control of an enrolled server to mount a Denial Of Service. | |||||
CVE-2023-5875 | 1 Mattermost | 1 Mattermost Desktop | 2024-11-21 | N/A | 3.7 LOW |
Mattermost Desktop fails to correctly handle permissions or prompt the user for consent on certain sensitive ones allowing media exploitation from a malicious mattermost server | |||||
CVE-2023-5522 | 1 Mattermost | 1 Mattermost | 2024-11-21 | N/A | 4.3 MEDIUM |
Mattermost Mobile fails to limit the maximum number of Markdown elements in a post allowing an attacker to send a post with hundreds of emojis to a channel and freeze the mobile app of users when viewing that particular channel. | |||||
CVE-2023-5339 | 1 Mattermost | 1 Mattermost Desktop | 2024-11-21 | N/A | 4.7 MEDIUM |
Mattermost Desktop fails to set an appropriate log level during initial run after fresh installation resulting in logging all keystrokes including password entry being logged. | |||||
CVE-2023-5333 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | N/A | 4.3 MEDIUM |
Mattermost fails to deduplicate input IDs allowing a simple user to cause the application to consume excessive resources and possibly crash by sending a specially crafted request to /api/v4/users/ids with multiple identical IDs. | |||||
CVE-2023-5331 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | N/A | 4.3 MEDIUM |
Mattermost fails to properly check the creator of an attached file when adding the file to a draft post, potentially exposing unauthorized file information. | |||||
CVE-2023-5330 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | N/A | 4.3 MEDIUM |
Mattermost fails to enforce a limit for the size of the cache entry for OpenGraph data allowing an attacker to send a specially crafted request to the /api/v4/opengraph filling the cache and turning the server unavailable. | |||||
CVE-2023-5196 | 1 Mattermost | 1 Mattermost | 2024-11-21 | N/A | 6.5 MEDIUM |
Mattermost fails to enforce character limits in all possible notification props allowing an attacker to send a really long value for a notification_prop resulting in the server consuming an abnormal quantity of computing resources and possibly becoming temporarily unavailable for its users. | |||||
CVE-2023-5195 | 1 Mattermost | 1 Mattermost | 2024-11-21 | N/A | 6.5 MEDIUM |
Mattermost fails to properly validate the permissions when soft deleting a team allowing a team member to soft delete other teams that they are not part of | |||||
CVE-2023-5194 | 1 Mattermost | 1 Mattermost | 2024-11-21 | N/A | 2.7 LOW |
Mattermost fails to properly validate permissions when demoting and deactivating a user allowing for a system/user manager to demote / deactivate another manager | |||||
CVE-2023-5193 | 1 Mattermost | 1 Mattermost | 2024-11-21 | N/A | 4.9 MEDIUM |
Mattermost fails to properly check permissions when retrieving a post allowing for a System Role with the permission to manage channels to read the posts of a DM conversation. | |||||
CVE-2023-5160 | 1 Mattermost | 1 Mattermost | 2024-11-21 | N/A | 4.3 MEDIUM |
Mattermost fails to check the Show Full Name option at the /api/v4/teams/TEAM_ID/top/team_members endpoint allowing a member to get the full name of another user even if the Show Full Name option was disabled | |||||
CVE-2023-5159 | 1 Mattermost | 1 Mattermost | 2024-11-21 | N/A | 3.8 LOW |
Mattermost fails to properly verify the permissions when managing/updating a bot allowing a User Manager role with user edit permissions to manage/update bots. |