CVE-2025-4128

Mattermost versions 10.5.x = 10.5.4, 9.11.x = 9.11.13 fail to properly restrict API access to team information, allowing guest users to bypass permissions and view information about public teams they are not members of via a direct API call to /api/v4/teams/teamid...

Mattermost Server 9.11.x < 9.11.6 (MMSA-2024-00378)

The version of Mattermost Server installed on the remote host is prior to 9.11.6. It is, therefore, affected by a improper access control vulnerability as referenced in the MMSA-2024-00378 advisory. Mattermost versions 9.11.x prior to 9.11.5 fail to enforce invite permissions, which allows team...

Mattermost Incorrect Authorization vulnerability

Mattermost versions 9.11.x = 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allowopeninvite" field via making their team public...

Trello: If a team is public, the web socket receives data about the Team visible boards

When viewing a public team, users are allowed to connect to an update channel that notifies them of changes made to the team. When a "team visible" not public board was added or removed from a public team, an update with the name of the team would be sent to all subscribers, potentially including...