CVE-2024-42000 Unauthorized Access to view channels' details

Mattermost versions 9.10.x = 9.10.2, 9.11.x = 9.11.1, 9.5.x = 9.5.9 and 10.0.x = 10.0.0 fail to properly authorize the requests to /api/v4/channels which allows a User or System Manager, with "Read Groups" permission but with no access for channels to retrieve details about private channels that...

CVE-2024-46872

Mattermost versions 9.10.x = 9.10.2, 9.11.x = 9.11.1, 9.5.x = 9.5.9 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in Playbooks...

Mattermost Server 9.5.x < 9.5.9 / 9.9.x < 9.9.3 / 9.10.x < 9.10.2 (MMSA-2024-00362)

The version of Mattermost Server installed on the remote host is prior to 9.5.9, 9.9.3, or 9.10.2. It is, therefore, affected by a vulnerability as referenced in the MMSA-2024-00362 advisory. - Mattermost versions 9.10.x = 9.10.1, 9.9.x = 9.9.2, 9.5.x = 9.5.8 fail to limit access to channels file...

CVE-2024-9155 Insufficient Authorization On Unlinked Channel Files

Mattermost versions 9.10.x = 9.10.1, 9.9.x = 9.9.2, 9.5.x = 9.5.8 fail to limit access to channels files that have not been linked to a post which allows an attacker to view them in channels that they are a member of...

PT-2024-39459 · Mattermost · Mattermost

Name of the Vulnerable Software and Affected Versions: Mattermost versions 9.5.x through 9.5.8 Mattermost versions 9.9.x through 9.9.2 Mattermost versions 9.10.x through 9.10.1 Description: The issue allows an attacker to view unlinked channel files in channels they are a member of, due to a...

GHSA-3J95-8G47-FPWH Mattermost allows team admin user without "Add Team Members" permission to disable invite URL

Mattermost versions 9.5.x = 9.5.7, 9.10.x = 9.10.0 fail to properly enforce permissions which allows a team admin user without "Add Team Members" permission to disable the invite URL...

CVE-2024-40884

Mattermost versions 9.5.x = 9.5.7, 9.10.x = 9.10.0 fail to properly enforce permissions which allows a team admin user without "Add Team Members" permission to disable the invite URL...

CVE-2024-42497 Insufficient permissions checks on teams

Mattermost versions 9.9.x = 9.9.1, 9.5.x = 9.5.7, 9.10.x = 9.10.0, 9.8.x = 9.8.2 fail to properly enforce permissions which allows a user with systems manager role with read-only access to teams to perform write operations on teams...

CVE-2024-40884

Mattermost Server 9.5.x (up to 9.5.7) and 9.10.x (up to 9.10.0) are affected by an improper access control issue that allows a team admin user without the Add Team Members permission to disable the invite URL. The issue is caused by insufficient enforcement of permissions (no explicit access cont...

GHSA-HRF9-RM95-FPF3 Mattermost Cross-Site Request Forgery vulnerability

Mattermost versions 9.9.x = 9.9.1, 9.5.x = 9.5.7, 9.10.x = 9.10.0, 9.8.x = 9.8.2 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in User Management page of the system console...

GHSA-5263-PM2H-M7HW Mattermost doesn't restrict which roles can promote a user as system admin

Mattermost versions 9.9.x = 9.9.1, 9.5.x = 9.5.7, 9.10.x = 9.10.0 and 9.8.x = 9.8.2 fail to restrict which roles can promote a user as system admin which allows a System Role with edit access to the permissions section of system console to update their role e.g. member to include the managesystem...

Mattermost doesn't restrict which roles can promote a user as system admin

Mattermost versions 9.9.x = 9.9.1, 9.5.x = 9.5.7, 9.10.x = 9.10.0 and 9.8.x = 9.8.2 fail to restrict which roles can promote a user as system admin which allows a System Role with edit access to the permissions section of system console to update their role e.g. member to include the managesystem...

CVE-2024-8071

Mattermost versions 9.9.x = 9.9.1, 9.5.x = 9.5.7, 9.10.x = 9.10.0 and 9.8.x = 9.8.2 fail to restrict which roles can promote a user as system admin which allows a System Role with edit access to the permissions section of system console to update their role e.g. member to include the managesystem...

CVE-2024-39836

Mattermost versions 9.9.x = 9.9.1, 9.5.x = 9.5.7, 9.10.x = 9.10.0 and 9.8.x = 9.8.2 fail to ensure that remote/synthetic users cannot create sessions or reset passwords, which allows the munged email addresses, created by shared channels, to be used to receive email notifications and to reset...

CVE-2024-39810

Mattermost versions 9.5.x = 9.5.7 and 9.10.x = 9.10.0 fail to time limit and size limit the CA path file in the ElasticSearch configuration which allows a System Role with access to the Elasticsearch system console to add any file as a CA path field, such as /dev/zero and, after testing the...

CVE-2024-43813 IDOR when marking read a user's channel

Mattermost versions 9.5.x = 9.5.7, 9.10.x = 9.10.0 fail to enforce proper access controls which allows any authenticated user, including guests, to mark any channel inside any team as read for any user...

CVE-2024-43813

CVE-2024-43813 affects Mattermost Server: versions 9.5.x up to 9.5.7 and 9.10.x up to 9.10.0 do not enforce proper access controls, allowing any authenticated user (including guests) to mark any channel inside any team as read for any user. Root cause: improper access control in read-marking func...

CVE-2024-39836

Mattermost server vulnerable versions: 9.9.x &lt;= 9.9.1, 9.5.x &lt;= 9.5.7, 9.10.x &lt;= 9.10.0, and 9.8.x

Canonical Ubuntu Linux SEoL (9.10.x)

According to its version, Canonical Ubuntu Linux is 9.10.x. It is, therefore, no longer maintained by its vendor or provider. Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it may contain security vulnerabilities. %NASLMINLEVEL...

K59692558: BIND vulnerability CVE-2016-2088

Security Advisory Description resolver.c in named in ISC BIND 9.10.x before 9.10.3-P4, when DNS cookies are enabled, allows remote attackers to cause a denial of service INSIST assertion failure and daemon exit via a malformed packet with more than one cookie option. CVE-2016-2088 Impact There is...