17 matches found
Information Exposure
Overview Affected versions of this package are vulnerable to Information Exposure via the POST /api/v4/users/userid/email/verify/member endpoint. An attacker can obtain sensitive information, such as password hashes and MFA secrets, by sending crafted requests to this endpoint. Remediation Upgrad...
Incorrect Authorization
Overview github.com/mattermost/mattermost/server/v8/channels/api4 is a platform for secure collaboration across the entire software development lifecycle Affected versions of this package are vulnerable to Incorrect Authorization via the /api/v4/channels/channelid/members endpoint. An attacker ca...
EUVD-2023-57497
Malicious code in bioql PyPI...
EUVD-2024-0710
Malicious code in bioql PyPI...
EUVD-2022-1816
Malicious code in bioql PyPI...
EUVD-2023-0855
Malicious code in bioql PyPI...
EUVD-2022-24353
Malicious code in bioql PyPI...
EUVD-2023-31044
Malicious code in bioql PyPI...
CVE-2024-24776
Mattermost fails to check the required permissions in the POST /api/v4/channels/stats/membercount API resulting in channel member counts being leaked to a user without permissions...
CVE-2023-2791
When creating a playbook run via the /dialog API, Mattermost fails to validate all parameters, allowing an authenticated attacker to edit an arbitrary channel post...
CVE-2022-1332
One of the API in Mattermost version 6.4.1 and earlier fails to properly protect the permissions, which allows the authenticated members with restricted custom admin role to bypass the restrictions and view the server logs and server config.json file contents...
CVE-2022-1003
One of the API in Mattermost version 6.3.0 and earlier fails to properly protect the permissions, which allows the system administrators to combine the two distinct privileges/capabilities in a way that allows them to override certain restricted configurations like EnableUploads...
CVE-2025-41423
Mattermost versions 10.4.x = 10.4.2, 10.5.x = 10.5.0, 9.11.x = 9.11.10 fail to properly validate permissions for the API endpoint /plugins/playbooks/api/v0/signal/keywords/ignore-thread, allowing any user or attacker to delete posts containing actions created by the Playbooks bot, even without...
CVE-2023-1562 Full name revealed via /plugins/focalboard/api/v2/users
Mattermost fails to check the "Show Full Name" setting when rendering the result for the /plugins/focalboard/api/v2/users API call, allowing an attacker to learn the full name of a board owner...
CVE-2023-27266 Disclosure of team owner email address when when accessing the teams API
Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the /api/v4/users/me/teams API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response...
MAL-2022-4497 Malicious code in mattermost-api-reference (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 94fde864da06b17a99846f32fa395eccf899430a4b5a71bffc74b38ab8414b1d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in mattermost-api-reference (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 94fde864da06b17a99846f32fa395eccf899430a4b5a71bffc74b38ab8414b1d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...