CVE Daily
← All tags

Tag: Mattermost

All CVEs associated with "Mattermost". Page 4/5 • 583 CVEs.

Subscribe CVEs: RSS for “Mattermost”  ·  RSS (High+Critical only)

About “Mattermost”

A curated feed of “Mattermost”-related CVEs appears below. We currently track 583 CVEs for this tag (all time). In the last 365 days, 159 were published. Average CVSS is 5.3 (all time; 5.1 over 365d), and 19% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-863 - Incorrect Authorization, CWE-862 - Missing Authorization, CWE-754 - Improper Check for Unusual or Exceptional Conditions.

In our taxonomy this topic maps to a MODERATE impact class. CMS and plugins expand attack surface. Patch core, themes, and plugins, remove abandoned extensions, restrict admin access, enable WAF, and keep backups. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2023-07-17
Low

CVE-2023-3577

Mattermost fails to properly restrict requests to localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited blind SSRF.

CVSS: 3.5 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
2023-06-16
Medium

CVE-2023-2831

Mattermost fails to unescape Markdown strings in a memory-efficient way, allowing an attacker to cause a Denial of Service by sending a message containing a large number of escaped characters.

CVSS: 4.3 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Low

CVE-2023-2797

Mattermost fails to sanitize code permalinks, allowing an attacker to preview code from private repositories by posting a specially crafted permalink on a channel.

CVSS: 3.1 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
Medium

CVE-2023-2793

Mattermost fails to validate links on external websites when constructing a preview for a linked website, allowing an attacker to cause a denial-of-service by a linking to a specially crafted webpage…

CVSS: 6.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Medium

CVE-2023-2792

Mattermost fails to sanitize ephemeral error messages, allowing an attacker to obtain arbitrary message contents by a specially crafted /groupmsg command.

CVSS: 6.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2023-2785

Mattermost fails to properly truncate the postgres error log message of a search query failure allowing an attacker to cause the creation of large log files which can result in Denial of Service

CVSS: 4.3 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Medium

CVE-2023-2791

When creating a playbook run via the /dialog API, Mattermost fails to validate all parameters, allowing an authenticated attacker to edit an arbitrary channel post.

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2023-2788

Mattermost fails to check if an admin user account active after an oauth2 flow is started, allowing an attacker with admin privileges to retain persistent access to Mattermost by obtaining an oauth2…

CVSS: 6.2 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2023-2787

Mattermost fails to check channel membership when accessing message threads, allowing an attacker to access arbitrary posts by using the message threads API.

CVSS: 6.5 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2023-2786

Mattermost fails to properly check the permissions when executing commands allowing a member with no permissions to post a message in a channel to actually post it by executing channel commands.

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2023-2784

Mattermost fails to verify if the requestor is a sysadmin or not, before allowing `install` requests to the Apps allowing a regular user send install requests to the Apps.

CVSS: 4.2 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2023-2783

Mattermost Apps Framework fails to verify that a secret provided in the incoming webhook request allowing an attacker to modify the contents of the post sent by the Apps.

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
2023-05-29
Medium

CVE-2023-2808

Mattermost fails to normalize UTF confusable characters when determining if a preview should be generated for a hyperlink, allowing an attacker to trigger link preview on a disallowed domain using a…

CVSS: 4.3 CWE: CWE-20 - Improper Input Validation View on NVD
2023-05-12
Medium

CVE-2023-2515

Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin

CVSS: 4.7 CWE: CWE-863 - Incorrect Authorization View on NVD
Medium

CVE-2023-2514

Mattermost Sever fails to redact the DB username and password before emitting an application log during server initialization.

CVSS: 6.7 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2023-05-02
Medium

CVE-2023-2000

Mattermost Desktop App fails to validate a mattermost server redirection and navigates to an arbitrary website

CVSS: 5.4 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
2023-04-25
Low

CVE-2023-2281

When archiving a team, Mattermost fails to sanitize the related Websocket event sent to currently connected clients. This allows the clients to see the name, display name, description, and other data…

CVSS: 3.1 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2023-04-20
Medium

CVE-2023-2193

Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker possessing an authorization code to generate an access token.

CVSS: 6.5 CWE: CWE-862 - Missing Authorization View on NVD
2023-04-17
High

CVE-2023-1831

Mattermost fails to redact from audit logs the user password during user creation and the user password hash in other operations if the experimental audit logging configuration was enabled (Experimen…

CVSS: 7.2 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2023-03-31
Medium

CVE-2023-1777

Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message.

CVSS: 6.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
High

CVE-2023-1776

Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file.

CVSS: 7.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2023-1775

When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2023-1774

When processing an email invite to a private channel on a team, Mattermost fails to validate the inviter's permission to that channel, allowing an attacker to invite themselves to a private channel.

CVSS: 4.2 CWE: CWE-862 - Missing Authorization View on NVD
2023-03-22
Low

CVE-2023-1562

Mattermost fails to check the "Show Full Name" setting when rendering the result for the /plugins/focalboard/api/v2/users API call, allowing an attacker to learn the full name of a board owner.

CVSS: 3.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2023-03-15
Low

CVE-2023-1421

A reflected cross-site scripting vulnerability in the OAuth flow completion endpoints in Mattermost allows an attacker to send AJAX requests on behalf of the victim via sharing a crafted link with a…

CVSS: 3.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2023-02-27
Low

CVE-2023-27266

Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the /api/v4/users/me/teams API endpoint, allowing an attacker with team admin privileges to learn the team owne…

CVSS: 2.7 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Low

CVE-2023-27265

Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the "Regenerate Invite Id" API endpoint, allowing an attacker with team admin privileges to learn the team owner…

CVSS: 2.7 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
High

CVE-2023-27264

A missing permissions check in Mattermost Playbooks in Mattermost allows an attacker to modify a playbook via the /plugins/playbooks/api/v0/playbooks/[playbookID] API.

CVSS: 7.1 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2023-27263

A missing permissions check in the /plugins/playbooks/api/v0/runs API in Mattermost allows an attacker to list and view playbooks belonging to a team they are not a member of.

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
2022-11-23
Low

CVE-2022-4045

A denial-of-service vulnerability in the Mattermost allows an authenticated user to crash the server via multiple requests to one of the API endpoints which could fetch a large amount of data.

CVSS: 3.1 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
Medium

CVE-2022-4044

A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large autoresponder messages.

CVSS: 4.3 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
Medium

CVE-2022-4019

A denial-of-service vulnerability in the Mattermost Playbooks plugin allows an authenticated user to crash the server via multiple large requests to one of the Playbooks API endpoints.

CVSS: 4.3 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
2022-09-23
Low

CVE-2022-3257

Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which allows authenticated users to cause resource exhaus…

CVSS: 3.1 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2022-09-09
Low

CVE-2022-3147

Mattermost version 7.0.x and earlier fails to sufficiently limit the in-memory sizes of concurrently uploaded JPEG images, which allows authenticated users to cause resource exhaustion on specific sy…

CVSS: 3.1 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2022-07-14
Medium

CVE-2022-2408

The Guest account feature in Mattermost version 6.7.0 and earlier fails to properly restrict the permissions, which allows a guest user to fetch a list of all public channels in the team, in spite of…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2022-2406

The legacy Slack import feature in Mattermost version 6.7.0 and earlier fails to properly limit the sizes of imported files, which allows an authenticated attacker to crash the server by importing la…

CVSS: 4.3 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Medium

CVE-2022-2401

Unrestricted information disclosure of all users in Mattermost version 6.7.0 and earlier allows team members to access some sensitive information by directly accessing the APIs.

CVSS: 6.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2022-07-12
Medium

CVE-2022-2366

Incorrect default configuration for trusted IP header in Mattermost version 6.7.0 and earlier allows attacker to bypass some of the rate limitations in place or use manipulated IPs for audit logging…

CVSS: 5.6 CWE: CWE-276 - Incorrect Default Permissions View on NVD
2022-06-02
Medium

CVE-2022-1982

Uncontrolled resource consumption in Mattermost version 6.6.0 and earlier allows an authenticated attacker to crash the server via a crafted SVG attachment on a post.

CVSS: 4.3 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2022-05-03
Low

CVE-2022-1548

Mattermost Playbooks plugin 1.25 and earlier fails to properly restrict user-level permissions, which allows playbook members to escalate their membership privileges and perform actions restricted to…

CVSS: 3.7 CWE: CWE-264 View on NVD
2022-04-19
Low

CVE-2022-1385

Mattermost 6.4.x and earlier fails to properly invalidate pending email invitations when the action is performed from the system console, which allows accidentally invited users to join the workspace…

CVSS: 3.7 CWE: CWE-664 - Improper Control of a Resource Through its Lifetime View on NVD
Medium

CVE-2022-1384

Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which allows an authenticated and an authorized user to install and ex…

CVSS: 4.7 CWE: CWE-477 - Use of Obsolete Function View on NVD
2022-04-13
Medium

CVE-2022-1337

The image proxy component in Mattermost version 6.4.1 and earlier allocates memory for multiple copies of a proxied image, which allows an authenticated attacker to crash the server via links to very…

CVSS: 4.3 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Low

CVE-2022-1333

Mattermost Playbooks plugin v1.24.0 and earlier fails to properly check the limit on the number of webhooks, which allows authenticated and authorized users to create a specifically drafted Playbook…

CVSS: 3.5 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
Medium

CVE-2022-1332

One of the API in Mattermost version 6.4.1 and earlier fails to properly protect the permissions, which allows the authenticated members with restricted custom admin role to bypass the restrictions a…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2022-03-18
Low

CVE-2022-1003

One of the API in Mattermost version 6.3.0 and earlier fails to properly protect the permissions, which allows the system administrators to combine the two distinct privileges/capabilities in a way t…

CVSS: 3.3 CWE: CWE-268 - Privilege Chaining View on NVD
Low

CVE-2022-1002

Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, which allows registered users with special permissions to invite guest users to i…

CVSS: 2.0 CWE: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) View on NVD
2022-03-10
Medium

CVE-2022-0904

A stack overflow bug in the document extractor in Mattermost Server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted Apple Pages docum…

CVSS: 4.3 CWE: CWE-787 - Out-of-bounds Write View on NVD
Medium

CVE-2022-0903

A call stack overflow bug in the SAML login feature in Mattermost server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted POST body.

CVSS: 5.3 CWE: CWE-787 - Out-of-bounds Write View on NVD
2022-02-21
Medium

CVE-2022-0708

Mattermost 6.3.0 and earlier fails to protect email addresses of the creator of the team via one of the APIs, which allows authenticated team members to access this information resulting in sensitive…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2022-01-18
Medium

CVE-2021-37867

Mattermost Boards plugin v0.10.0 and earlier fails to protect email addresses of all users via one of the Boards APIs, which allows authenticated and unauthorized users to access this information res…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2021-37866

Mattermost Boards plugin v0.10.0 and earlier fails to invalidate a session on the server-side when a user logged out of Boards, which allows an attacker to reuse old session token for authorization.

CVSS: 4.7 CWE: CWE-613 - Insufficient Session Expiration View on NVD
Medium

CVE-2021-37865

Mattermost 6.2 and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which allows authenticated users to cause resource exhaustion while…

CVSS: 4.3 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Low

CVE-2021-37864

Mattermost 6.1 and earlier fails to sufficiently validate permissions while viewing archived channels, which allows authenticated users to view contents of archived channels even when this is denied…

CVSS: 2.6 CWE: CWE-284 - Improper Access Control View on NVD
2021-12-17
Low

CVE-2021-37863

Mattermost 6.0 and earlier fails to sufficiently validate parameters during post creation, which allows authenticated attackers to cause a client-side crash of the web application via a maliciously c…

CVSS: 3.5 CWE: CWE-20 - Improper Input Validation View on NVD
Low

CVE-2021-37862

Mattermost 6.0 and earlier fails to sufficiently validate the email address during registration, which allows attackers to trick users into signing up using attacker-controlled email addresses via cr…

CVSS: 3.7 CWE: CWE-754 - Improper Check for Unusual or Exceptional Conditions View on NVD
2021-12-09
Medium

CVE-2021-37861

Mattermost 6.0.2 and earlier fails to sufficiently sanitize user's password in audit logs when user creation fails.

CVSS: 5.8 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
2021-09-22
Low

CVE-2021-37860

Mattermost 5.38 and earlier fails to sufficiently sanitize clipboard contents, which allows a user-assisted attacker to inject arbitrary web script in product deployments that explicitly disable the…

CVSS: 3.7 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2021-08-05
High

CVE-2021-37859

Fixed a bypass for a reflected cross-site scripting vulnerability affecting OAuth-enabled instances of Mattermost.

CVSS: 7.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2020-12-28
Critical

CVE-2020-26290

Dex is a federated OpenID Connect provider written in Go. In Dex before version 2.27.0 there is a critical set of vulnerabilities which impacts users leveraging the SAML connector. The vulnerabilitie…

CVSS: 9.3 CWE: CWE-347 - Improper Verification of Cryptographic Signature View on NVD
2020-12-17
Critical

CVE-2020-26276

Fleet is an open source osquery manager. In Fleet before version 3.5.1, due to issues in Go's standard library XML parsing, a valid SAML response may be mutated by an attacker to modify the trusted d…

CVSS: 10.0 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
2020-06-26
High

CVE-2020-13891

An issue was discovered in Mattermost Mobile Apps before 1.31.2 on iOS. Unintended third-party servers could sometimes obtain authorization tokens, aka MMSA-2020-0022.

CVSS: 7.5 CWE: N/A View on NVD
2020-06-19
Medium

CVE-2017-18921

An issue was discovered in Mattermost Server before 3.6.0 and 3.5.2. XSS can occur via a link on an error page.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Critical

CVE-2017-18920

An issue was discovered in Mattermost Server before 3.6.2. The WebSocket feature does not follow the Same Origin Policy.

CVSS: 9.8 CWE: N/A View on NVD
Medium

CVE-2017-18919

An issue was discovered in Mattermost Server before 3.7.0 and 3.6.3. Attackers can use the API for unauthenticated team creation.

CVSS: 5.3 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2017-18918

An issue was discovered in Mattermost Server before 3.7.3 and 3.6.5. A System Administrator can place a SAML certificate at an arbitrary pathname.

CVSS: 4.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2017-18917

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. Weak hashing was used for e-mail invitations, OAuth, and e-mail verification tokens.

CVSS: 7.5 CWE: CWE-916 - Use of Password Hash With Insufficient Computational Effort View on NVD
Medium

CVE-2017-18916

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. API endpoint access control does not honor an integration permission restriction.

CVSS: 5.3 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
Critical

CVE-2017-18915

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. After a restart of a server, an attacker might suddenly gain API Endpoint access.

CVSS: 9.8 CWE: CWE-276 - Incorrect Default Permissions View on NVD
Medium

CVE-2017-18914

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. An external link can occur on an error page even if it is not on an allowlist.

CVSS: 5.3 CWE: CWE-754 - Improper Check for Unusual or Exceptional Conditions View on NVD
Medium

CVE-2017-18913

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. XSS can occur via a link on an error page.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Critical

CVE-2017-18908

An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. A password-reset request was sometime sent to an attacker-provided e-mail address.

CVSS: 9.8 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2017-18907

An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. XSS could occur via a channel header.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2017-18906

An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when Single Sign-On OAuth2 is used. An attacker could claim somebody else's account.

CVSS: 8.1 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2017-18905

An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth 2.0 service provider, Session invalidation was mishandled.

CVSS: 5.3 CWE: CWE-613 - Insufficient Session Expiration View on NVD
Medium

CVE-2016-11084

An issue was discovered in Mattermost Server before 2.1.0. It allows XSS via CSRF.

CVSS: 6.1 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Medium

CVE-2016-11083

An issue was discovered in Mattermost Server before 2.2.0. It allows XSS because it configures files to be opened in a browser window.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2016-11082

An issue was discovered in Mattermost Server before 2.2.0. It allows XSS via a crafted link.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2016-11081

An issue was discovered in Mattermost Server before 2.2.0. It allows unintended access to information stored by a web browser.

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2016-11080

An issue was discovered in Mattermost Server before 3.0.0. It offers superfluous APIs for a Team Administrator to view account details.

CVSS: 4.3 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
Medium

CVE-2016-11079

An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a redirect URL.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2016-11078

An issue was discovered in Mattermost Server before 3.0.0. It potentially allows attackers to obtain sensitive information (credential fields within config.json) via the System Console UI.

CVSS: 6.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Low

CVE-2016-11077

An issue was discovered in Mattermost Server before 3.0.0. It has a superfluous API in which the System Admin can change the account name and e-mail address of an LDAP account.

CVSS: 2.7 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
Medium

CVE-2016-11076

An issue was discovered in Mattermost Server before 3.0.0. It does not ensure that a cookie is used over SSL.

CVSS: 5.3 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2016-11075

An issue was discovered in Mattermost Server before 3.0.0. It allows attackers to obtain sensitive information about team URLs via an API.

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Critical

CVE-2016-11074

An issue was discovered in Mattermost Server before 3.0.0. A password-reset link could be reused.

CVSS: 9.8 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2016-11073

An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a Legal or Support setting.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2016-11072

An issue was discovered in Mattermost Server before 3.0.2. The purposes of a session ID and a Session Token were mishandled.

CVSS: 6.5 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2016-11071

An issue was discovered in Mattermost Server before 3.1.0. It allows XSS because the noreferrer and noopener protection mechanisms were not in place.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2016-11070

An issue was discovered in Mattermost Server before 3.1.0. It allows XSS via theme color-code values.

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2016-11069

An issue was discovered in Mattermost Server before 3.2.0. It mishandles brute-force attempts at password change.

CVSS: 7.5 CWE: CWE-521 - Weak Password Requirements View on NVD
Medium

CVE-2016-11068

An issue was discovered in Mattermost Server before 3.2.0. Attackers could read LDAP fields via injection.

CVSS: 5.3 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
Medium

CVE-2016-11067

An issue was discovered in Mattermost Server before 3.2.0. It allowed crafted posts that could cause a web browser to hang.

CVSS: 5.3 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2016-11066

An issue was discovered in Mattermost Server before 3.2.0. The initial_load API disclosed unnecessary personal information.

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2016-11065

An issue was discovered in Mattermost Server before 3.3.0. An attacker could use the WebSocket feature to send pop-up messages to users or change a post's appearance.

CVSS: 4.3 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
Critical

CVE-2016-11064

An issue was discovered in Mattermost Desktop App before 3.4.0. Strings could be executed as code via injection.

CVSS: 9.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2016-11063

An issue was discovered in Mattermost Server before 3.5.1. XSS can occur via file preview.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2016-11062

An issue was discovered in Mattermost Server before 3.5.1. E-mail address verification can be bypassed.

CVSS: 5.3 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
High

CVE-2015-9548

An issue was discovered in Mattermost Server before 1.2.0. It allows attackers to cause a denial of service (memory consumption) via a small compressed file that has a large size when uncompressed.

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Critical

CVE-2017-18912

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. It allows an attacker to specify a full pathname of a log file.

CVSS: 9.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Critical

CVE-2017-18911

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. The X.509 certificate validation can be skipped for a TLS-based e-mail server.

CVSS: 9.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2017-18910

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. E-mail notifications can have spoofed links.

CVSS: 4.3 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
High

CVE-2017-18909

An issue was discovered in Mattermost Server before 3.9.0 when SAML is used. Encryption and signature verification are not mandatory.

CVSS: 7.5 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2017-18904

An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. It allows XSS via an uploaded file.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2017-18903

An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. CSRF can occur if CORS is enabled.

CVSS: 8.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Medium

CVE-2017-18902

An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints.

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2017-18901

An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover a team invite ID by requesting a JSON document.

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Critical

CVE-2017-18900

An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows CSV injection via a compliance report.

CVSS: 9.8 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
Medium

CVE-2017-18899

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It mishandles IP-based rate limiting.

CVSS: 5.3 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
Medium

CVE-2017-18898

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows crafted posts that potentially cause a web browser to hang.

CVSS: 5.3 CWE: CWE-404 - Improper Resource Shutdown or Release View on NVD
Medium

CVE-2017-18897

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. It mishandles a deny action for a redirection.

CVSS: 6.1 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
Medium

CVE-2017-18896

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to add DEBUG lines to the logs via a REST API version 3 logging endpoint.

CVSS: 5.3 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
Medium

CVE-2017-18895

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to obtain sensitive information (user statuses) via a REST API version 4 endpoint.

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
High

CVE-2017-18894

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. Sometimes. resource-owner authorization is bypassed, allowing account takeover.

CVSS: 8.1 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
Medium

CVE-2017-18893

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. Display names allow XSS.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2017-18892

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. E-mail templates can have a field in which HTML content is not neutralized.

CVSS: 6.1 CWE: CWE-116 - Improper Encoding or Escaping of Output View on NVD
Medium

CVE-2017-18891

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows Phishing because an error page can have a link.

CVSS: 6.1 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
Medium

CVE-2017-18890

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows an attacker to create a button that, when pressed by a user, launches an API request.

CVSS: 4.3 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2017-18889

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. An attacker could create fictive system-message posts via webhooks and slash commands, in the v3 or v4 REST API.

CVSS: 4.3 CWE: CWE-20 - Improper Input Validation View on NVD
Critical

CVE-2017-18888

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows SQL injection during the fetching of multiple posts.

CVSS: 9.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD