11 matches found
EUVD-2023-31044
Malicious code in bioql PyPI...
Improper Input Validation
github.com/mattermost/mattermost-servert is vulnerable to Improper Input Validation. The vulnerability is due to failure to sanitize the team invite ID in the /api/v4/teams/:teamId/restore endpoint, which allows a team admin without invite privileges to obtain the team’s invite ID...
CVE-2025-53971 Channel and Team Membership APIs inadvertently allow loss of Member privileges.
Mattermost versions 10.5.x = 10.5.8, 9.11.x = 9.11.17 fail to properly validate authorization for team scheme role modifications which allows Team Admins to demote Team Members to Guests via the PUT /api/v4/teams/team-id/members/user-id/schemeRoles API endpoint...
CVE-2023-27265
Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the "Regenerate Invite Id" API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response...
CVE-2023-27266
Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the /api/v4/users/me/teams API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response...
BIT-MATTERMOST-2024-29221
Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the /api/v4/users/me/teams endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users,...
CVE-2023-27265
Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the "Regenerate Invite Id" API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response...
Code injection
Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the "Regenerate Invite Id" API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response...
CVE-2023-27266 Disclosure of team owner email address when when accessing the teams API
Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the /api/v4/users/me/teams API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response...
CVE-2023-27265 Disclosure of team owner email address when regenerating Invite ID
Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the "Regenerate Invite Id" API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response...
PT-2023-21044 · Unknown · Mattermost
Name of the Vulnerable Software and Affected Versions: Mattermost affected versions not specified Description: The issue concerns the failure of Mattermost to honor the ShowEmailAddress setting when responding to the "Regenerate Invite Id" API endpoint. This allows an attacker with team admin...