CVE-2025-6233 Arbitrary file read by system admin via path traversal

Mattermost versions 10.8.x = 10.8.1, 10.7.x = 10.7.3, 10.5.x = 10.5.7, 9.11.x = 9.11.16 fail to sanitize input paths of file attachments in the bulk import JSONL file, which allows a system admin to read arbitrary system files via path traversal...

PT-2025-29403 · Code Projects · Voting System

Name of the Vulnerable Software and Affected Versions: code-projects Voting System version 1.0 Description: A critical issue exists in code-projects Voting System 1.0 related to SQL injection. The vulnerability is located in the /admin/positions add.php file, where manipulation of the description...

PT-2025-24277 · 1000 Projects · Best Courier Management System

Name of the Vulnerable Software and Affected Versions: 1000 Projects ABC Courier Management System version 1.0 Description: A critical issue was found in the system, affecting an unknown function of the file /adminSQL. The manipulation of the Username argument leads to SQL injection. This issue c...

PT-2025-23770 · D Link · D-Link Dcs-932L

Name of the Vulnerable Software and Affected Versions: D-Link DCS-932L version 2.18.01 Description: A critical issue was found in the function setSystemAdmin of the file /setSystemAdmin. The manipulation of the argument AdminID leads to os command injection. It is possible to launch the attack...

PT-2025-23381 · Sourcecodester · Sourcecodester Health Center Patient Record Management System

Name of the Vulnerable Software and Affected Versions: SourceCodester Health Center Patient Record Management System version 1.0 Description: A critical vulnerability has been found in the SourceCodester Health Center Patient Record Management System. The issue affects some unknown functionality ...

CVE-2025-3230 Bypass of System Admin User Deactivation Controls for Personal Access Tokens in Mattermost Server

Mattermost versions 10.7.x = 10.7.0, 10.6.x = 10.6.2, 10.5.x = 10.5.3, 9.11.x = 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of previous...

SUSE CVE-2025-2570

Mattermost versions 10.5.x = 10.5.3, 9.11.x = 9.11.11 fail to check RestrictSystemAdmin setting if user doesn't have access to ExperimentalSettings which allows a System Manager to access ExperimentSettings when RestrictSystemAdmin is true via System Console...

CVE-2024-22593

FlyCms v1.0 contains a Cross-Site Request Forgery CSRF vulnerability via /system/admin/addgroupsave...

CVE-2024-8071

Mattermost versions 9.9.x = 9.9.1, 9.5.x = 9.5.7, 9.10.x = 9.10.0 and 9.8.x = 9.8.2 fail to restrict which roles can promote a user as system admin which allows a System Role with edit access to the permissions section of system console to update their role e.g. member to include the managesystem...

CVE-2023-2515

Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin...

CVE-2022-28436

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/uesrs.php=display=Hide=...

CVE-2019-19538

In Sangoma FreePBX 13 through 15 and sysadmin aka System Admin 13.0.92 through 15.0.13.6 modules have a Remote Command Execution vulnerability that results in Privilege Escalation...

CVE-2017-18875

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can create arbitrary files...

CVE-2017-18876

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can test for the existence of an arbitrary file...

CVE-2019-20886

An issue was discovered in Mattermost Server before 5.8.0. The first user is sometimes inadvertently a system admin...

Mattermost Server 9.11.x < 9.11.12 / 10.5.x < 10.5.3 Multiple Vulnerabilities (MMSA-2025-00455, MMSA-2025-00456)

The version of Mattermost Server installed on the remote host is prior to 9.11.12 or 10.5.3. It is, therefore, affected by multiple vulnerabilities as referenced in the MMSA-2025-0045500456 advisory. - Mattermost versions 10.5.x = 10.5.2, 9.11.x = 9.11.11 failed to properly verify a user's...

CVE-2025-2570

Mattermost versions 10.5.x = 10.5.3, 9.11.x = 9.11.11 fail to check RestrictSystemAdmin setting if user doesn't have access to ExperimentalSettings which allows a System Manager to access ExperimentSettings when RestrictSystemAdmin is true via System Console...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the ExperimentalSettings function. An attacker can exploit this issue by accessing unauthorized settings through the System Console. Note: This is only exploitable if the RestrictSystemAdmin setting is true,...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the ExperimentalSettings function. An attacker can exploit this issue by accessing unauthorized settings through the System Console. Note: This is only exploitable if the RestrictSystemAdmin setting is true,...

CVE-2025-2570 System Admin Cannot Access Environment settings in System Console While System Manager Can

Mattermost versions 10.5.x = 10.5.3, 9.11.x = 9.11.11 fail to check RestrictSystemAdmin setting if user doesn't have access to ExperimentalSettings which allows a System Manager to access ExperimentSettings when RestrictSystemAdmin is true via System Console...