Lucene search
+L

77 matches found

Github Security Blog
Github Security Blog
added 2025/08/21 9:30 a.m.14 views

Mattermost Fails to Properly Validate Team Role Modification

Mattermost versions 10.5.x = 10.5.8, 9.11.x = 9.11.17 fail to properly validate authorization for team scheme role modifications which allows Team Admins to demote Team Members to Guests via the PUT /api/v4/teams/team-id/members/user-id/schemeRoles API endpoint...

3.8CVSS7.1AI score0.00189EPSS
Exploits0References4Affected Software4
Cvelist
Cvelist
added 2025/08/21 8:2 a.m.32 views

CVE-2025-47870 Team invite ID leaked to team admin with no member invite privileges

Mattermost versions 10.8.x = 10.8.3, 10.5.x = 10.5.8, 9.11.x = 9.11.17, 10.9.x = 10.9.2 fail to sanitize the team invite ID in the POST /api/v4/teams/:teamId/restore endpoint which allows an team admin with no member invite privileges to get the team’s invite id...

4.3CVSS0.00201EPSS
Exploits0References1
Cvelist
Cvelist
added 2025/08/21 7:31 a.m.35 views

CVE-2025-53971 Channel and Team Membership APIs inadvertently allow loss of Member privileges.

Mattermost versions 10.5.x = 10.5.8, 9.11.x = 9.11.17 fail to properly validate authorization for team scheme role modifications which allows Team Admins to demote Team Members to Guests via the PUT /api/v4/teams/team-id/members/user-id/schemeRoles API endpoint...

3.8CVSS0.00189EPSS
Exploits0References1
CVE
CVE
added 2025/08/21 7:31 a.m.118 views

CVE-2025-53971

Mattermost Server vulnerability CVE-2025-53971 affects versions 10.5.x ≤ 10.5.8 and 9.11.x ≤ 9.11.17. The issue arises from improper authorization validation for team scheme role modifications, allowing Team Admins to demote Team Members to Guests via PUT /api/v4/teams/{team-id}/members/{user-id}...

3.8CVSS7.1AI score0.00189EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2025/08/21 7:31 a.m.5 views

CVE-2025-53971 Channel and Team Membership APIs inadvertently allow loss of Member privileges.

Mattermost versions 10.5.x = 10.5.8, 9.11.x = 9.11.17 fail to properly validate authorization for team scheme role modifications which allows Team Admins to demote Team Members to Guests via the PUT /api/v4/teams/team-id/members/user-id/schemeRoles API endpoint...

3.8CVSS5.9AI score0.00189EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2025/05/23 10:8 a.m.10 views

CVE-2024-29221

Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the /api/v4/users/me/teams endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users,...

4.7CVSS6.7AI score0.00331EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 6:22 a.m.7 views

CVE-2024-54682

Mattermost versions 10.1.x = 10.1.2, 10.0.x = 10.0.2, 9.11.x = 9.11.4, 9.5.x = 9.5.12 fail to limit the file size for slack import file uploads which allows a user to cause a DoS via zip bomb by importing data in a team they are a team admin...

6.5CVSS6.7AI score0.00425EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 5:2 a.m.9 views

CVE-2023-27265

Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the "Regenerate Invite Id" API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response...

2.7CVSS6.7AI score0.00526EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 5:2 a.m.19 views

CVE-2023-27266

Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the /api/v4/users/me/teams API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response...

2.7CVSS6.7AI score0.00526EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 12:2 a.m.8 views

CVE-2022-24841

fleetdm/fleet is an open source device management, built on osquery. All versions of fleet making use of the teams feature are affected by this authorization bypass issue. Fleet instances without teams, or with teams but without restricted team accounts are not affected. In affected versions a te...

8.1CVSS6.8AI score0.00814EPSS
Exploits0References1
SUSE CVE
SUSE CVE
added 2025/03/29 3:3 a.m.4 views

SUSE CVE-2025-27715

Mattermost versions 9.11.x = 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team admins to joining private channels via crafted permalink links without explicit consent from them...

2.7CVSS6.9AI score0.00201EPSS
Exploits0References3
OSV
OSV
added 2025/03/28 7:21 a.m.49 views

BIT-MATTERMOST-2025-27715

Mattermost versions 9.11.x = 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team admins to joining private channels via crafted permalink links without explicit consent from them...

3.3CVSS7AI score0.00201EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2025/03/28 12:0 a.m.19 views

Mattermost Server 9.11.x < 9.11.9 (MMSA-2024-00409)

The version of Mattermost Server installed on the remote host is prior to 9.11.9. It is, therefore, affected by a vulnerability as referenced in the MMSA-2024-00409 advisory. - Mattermost versions 9.11.x = 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel...

3.3CVSS6.3AI score0.00201EPSS
Exploits0References2
OSV
OSV
added 2025/03/25 7:38 p.m.10 views

GO-2025-3555 Mattermost fail to prompt for explicit approval before adding a team admin to a private channel in github.com/mattermost/mattermost-server

Mattermost fail to prompt for explicit approval before adding a team admin to a private channel in github.com/mattermost/mattermost-server...

3.3CVSS3.9AI score0.00201EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2025/03/23 2:22 p.m.21 views

CVE-2025-27715

Mattermost versions 9.11.x = 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team admins to joining private channels via crafted permalink links without explicit consent from them...

3.3CVSS6.8AI score0.00201EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2025/03/21 9:30 a.m.14 views

Mattermost fail to prompt for explicit approval before adding a team admin to a private channel

Mattermost versions 9.11.x = 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team admins to joining private channels via crafted permalink links without explicit consent from them...

3.3CVSS7AI score0.00201EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2025/03/21 9:30 a.m.19 views

GHSA-CW7Q-5CGC-H3H9 Mattermost fail to prompt for explicit approval before adding a team admin to a private channel

Mattermost versions 9.11.x = 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team admins to joining private channels via crafted permalink links without explicit consent from them...

3.3CVSS7AI score0.00201EPSS
Exploits0References3
NVD
NVD
added 2025/03/21 9:15 a.m.24 views

CVE-2025-27715

Mattermost versions 9.11.x = 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team admins to joining private channels via crafted permalink links without explicit consent from them...

3.3CVSS0.00201EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2025/03/21 8:22 a.m.7 views

CVE-2025-27715 Auto-Enrollment of Team Admins into Private Channels without explicit consent

Mattermost versions 9.11.x = 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team admins to joining private channels via crafted permalink links without explicit consent from them...

3.3CVSS6.9AI score0.00201EPSS
Exploits0References1
CVE
CVE
added 2025/03/21 8:22 a.m.101 views

CVE-2025-27715

Mattermost CVE-2025-27715 affects Mattermost Server 9.11.x

3.3CVSS4AI score0.00201EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder