28 matches found
CVE-2024-39274
Mattermost versions 9.9.x = 9.9.0, 9.5.x = 9.5.6, 9.7.x = 9.7.5 and 9.8.x = 9.8.1 fail to properly validate that the channel that comes from the sync message is a shared channel, when shared channels are enabled, which allows a malicious remote to add users to arbitrary teams and channels...
CVE-2024-2450
Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to correctly verify account ownership when switching from email to SAML authentication, allowing an authenticated attacker to take over other user accounts via a crafted switch request und...
EUVD-2025-10699
Malicious code in bioql PyPI...
EUVD-2024-0444
Malicious code in bioql PyPI...
CVE-2025-47871
Mattermost versions 10.5.x = 10.5.5, 9.11.x = 9.11.15, 10.8.x = 10.8.0, 10.7.x = 10.7.2, 10.6.x = 10.6.5 fail to properly validate channel membership when retrieving playbook run metadata, allowing authenticated users who are playbook members but not channel members to access sensitive informatio...
Mattermost 安全漏洞
Mattermost is an open source collaboration platform from Mattermost, Inc. in the United States. A security vulnerability in Mattermost versions 10.5.5 and prior 10.5.x, 9.11.15 and prior 9.11.x, 10.8.0 and prior 10.8.x, 10.7.2 and prior 10.7.x, and 10.6.5 and prior 10.6.x, which stems from an...
CVE-2025-4128
Mattermost versions 10.5.x = 10.5.4, 9.11.x = 9.11.13 fail to properly restrict API access to team information, allowing guest users to bypass permissions and view information about public teams they are not members of via a direct API call to /api/v4/teams/teamid...
CVE-2023-5160
Mattermost fails to check the Show Full Name option at the /api/v4/teams/TEAMID/top/teammembers endpoint allowing a member to get the full name of another user even if the Show Full Name option was disabled...
CVE-2023-27265
Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the "Regenerate Invite Id" API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response...
CVE-2023-27266
Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the /api/v4/users/me/teams API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response...
CVE-2023-2786
Mattermost fails to properly check the permissions when executing commands allowing a member with no permissions to post a message in a channel to actually post it by executing channel commands...
CVE-2023-3577
Mattermost fails to properly restrict requests to localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited blind SSRF...
CVE-2022-1385
Mattermost 6.4.x and earlier fails to properly invalidate pending email invitations when the action is performed from the system console, which allows accidentally invited users to join the workspace and access information from the public teams and channels...
CVE-2021-37861
Mattermost 6.0.2 and earlier fails to sufficiently sanitize user's password in audit logs when user creation fails...
CVE-2021-37860
Mattermost 5.38 and earlier fails to sufficiently sanitize clipboard contents, which allows a user-assisted attacker to inject arbitrary web script in product deployments that explicitly disable the default CSP...
CVE-2025-32093 Syatem admin profile modification by delegated granular administration role
Mattermost versions 10.5.x = 10.5.1, 10.4.x = 10.4.3, 9.11.x = 9.11.9 fail to restrict certain operations on system admins to only other system admins, which allows delegated granular administration users with the "Edit Other Users" permission to perform unauthorized modifications to system...
CVE-2025-24866
CVE-2025-24866 affects Mattermost server (Mattermost 9.11.x, including 9.11.8 and earlier) where the access control on the /api/v4/audits endpoint is improper. The vulnerability allows users with delegated granular administration roles who do not have access to Compliance Monitoring to retrieve U...
Mattermost Fails to Enforce MFA on Plugin Endpoints
Mattermost versions 10.4.x = 10.4.2, 10.3.x = 10.3.3, 9.11.x = 9.11.8, 10.5.x = 10.5.0 fail to enforce MFA on plugin endpoints, which allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes...
CVE-2025-25068 Bypassing MFA Enforcement on Plugin Endpoints
Mattermost versions 10.4.x = 10.4.2, 10.3.x = 10.3.3, 9.11.x = 9.11.8, 10.5.x = 10.5.0 fail to enforce MFA on plugin endpoints, which allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes...
CVE-2025-30179
Mattermost CVE-2025-30179 affects Mattermost Server: MFA is not enforced on certain search APIs, allowing authenticated users to bypass MFA via user, channel, or team search. Affected lines are Mattermost Server 9.11.x ≤ 9.11.8, 10.3.x ≤ 10.3.3, and 10.4.x ≤ 10.4.2. Remediation per advisories is ...