SUSE CVE-2017-18901

An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover a team invite ID by requesting a JSON document...

CVE-2017-18901

An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover a team invite ID by requesting a JSON document...

EUVD-2017-9992

Malware in sbrugna...

Improper Input Validation

github.com/mattermost/mattermost-servert is vulnerable to Improper Input Validation. The vulnerability is due to failure to sanitize the team invite ID in the /api/v4/teams/:teamId/restore endpoint, which allows a team admin without invite privileges to obtain the team’s invite ID...

Mattermost Server 9.11.x < 9.11.18 / 10.5.x < 10.5.9 / 10.8.x < 10.8.4 / 10.9.x < 10.9.3 / 10.10.0 Multiple Vulnerabilities (MMSA-2025-00498, MMSA-2025-00499)

The version of Mattermost Server installed on the remote host is affected by multiple vulnerabilities as referenced in the MMSA-2025-00500 and MMSA-2025-00499 advisories. - Mattermost versions 10.8.x = 10.8.3, 10.5.x = 10.5.8, 9.11.x = 9.11.17, 10.9.x = 10.9.2 fail to sanitize the team invite ID ...

GO-2025-3905 Mattermost Does Not Sanitize the Team Invite ID in github.com/mattermost/mattermost-server

Mattermost Does Not Sanitize the Team Invite ID in github.com/mattermost/mattermost-server...

CVE-2025-47870

Mattermost versions 10.8.x = 10.8.3, 10.5.x = 10.5.8, 9.11.x = 9.11.17, 10.9.x = 10.9.2 fail to sanitize the team invite ID in the POST /api/v4/teams/:teamId/restore endpoint which allows an team admin with no member invite privileges to get the team’s invite id...

Mattermost Does Not Sanitize the Team Invite ID

Mattermost versions 10.8.x = 10.8.3, 10.5.x = 10.5.8, 9.11.x = 9.11.17, 10.9.x = 10.9.2 fail to sanitize the team invite ID in the POST /api/v4/teams/:teamId/restore endpoint which allows an team admin with no member invite privileges to get the team’s invite id...

BIT-MATTERMOST-2024-29221

Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the /api/v4/users/me/teams endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users,...

GHSA-W67V-PH4X-F48Q Mattermost Server Improper Access Control

Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the /api/v4/users/me/teams endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users,...

CVE-2024-29221 Invite ID available to team admins even without the "Add Members" permission

Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the /api/v4/users/me/teams endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users,...

CVE-2024-29221

CVE-2024-29221 (Mattermost Server) describes improper access control in the /api/v4/users/me/teams endpoint, where a team admin could obtain the team invite ID and invite users despite lacking the Add Members permission. Affected versions include 8.1.x before 8.1.11, 9.x before 9.3.3/9.4.4/9.5.2....

Code injection

Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the "Regenerate Invite Id" API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response...

CVE-2023-27265 Disclosure of team owner email address when regenerating Invite ID

Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the "Regenerate Invite Id" API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response...

Mattermost Server exposes private team invite ID

An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover a team invite ID by requesting a JSON document...

Unspecified Vulnerability in Mattermost Server (CNVD-2020-41174)

Mattermost Server is the United States Mattermost company's set of open source messaging platform. A security vulnerability exists in Mattermost Server versions prior to 4.8.1, 4.7.4 and 4.6.3. An attacker can use this vulnerability to obtain the inviteid of a team and then repeatedly ask...

Design/Logic Flaw

An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover a team invite ID by requesting a JSON document...