An issue was discovered in Mattermost Server before 5.18.0. An attacker can send a user_typing WebSocket event to any channel.
5.3CVSS
5.2AI Score
0.001EPSS
An issue was discovered in Mattermost Mobile Apps before 1.26.0. The Quick Reply feature mishandles crafted replies.
7.5CVSS
7.5AI Score
0.001EPSS
An issue was discovered in Mattermost Mobile Apps before 1.26.0. Cookie data can persist on a device after a logout.
5.3CVSS
5.2AI Score
0.001EPSS
An issue was discovered in Mattermost Mobile Apps before 1.26.0. A view cache can persist on a device after a logout.
5.3CVSS
5.2AI Score
0.001EPSS
An issue was discovered in Mattermost Mobile Apps before 1.26.0. An attacker can use directory traversal with the Video Preview feature to overwrite arbitrary files on a device.
9.1CVSS
9AI Score
0.001EPSS
An issue was discovered in Mattermost Mobile Apps before 1.26.0. Local logging is not blocked for sensitive information (e.g., server addresses or message content).
7.5CVSS
7.4AI Score
0.002EPSS
An issue was discovered in Mattermost Packages before 5.16.3. A Droplet could allow Internet access to a service that has a remote code execution problem.
9.8CVSS
9.5AI Score
0.013EPSS
An issue was discovered in Mattermost Server before 5.17.0. It allows remote attackers to cause a denial of service (client-side application crash) via a LaTeX message.
7.5CVSS
7.3AI Score
0.002EPSS
An issue was discovered in Mattermost Server before 5.16.1, 5.15.2, 5.14.5, and 5.9.6. It allows attackers to obtain sensitive information (local files) during legacy attachment migration.
7.5CVSS
7.2AI Score
0.002EPSS
An issue was discovered in Mattermost Desktop App before 4.3.0 on macOS. It allows dylib injection.
9.8CVSS
9.6AI Score
0.002EPSS
An issue was discovered in Mattermost Server before 5.16.0. It allows attackers to cause a denial of service (markdown renderer hang) via many backtick characters.
7.5CVSS
7.3AI Score
0.001EPSS
An issue was discovered in Mattermost Server before 5.15.0. It allows attackers to cause a denial of service (CPU consumption) via crafted characters in a SQL LIKE clause to an APIv4 endpoint.
7.5CVSS
7.5AI Score
0.001EPSS
An issue was discovered in Mattermost Server before 5.15.0. Login access control can be bypassed via crafted input.
7.5CVSS
7.5AI Score
0.002EPSS
An issue was discovered in Mattermost Server before 5.14.0, 5.13.3, 5.12.6, and 5.9.4. It allows remote attackers to cause a denial of service (application hang) via a crafted SVG document.
5.5CVSS
5.4AI Score
0.001EPSS
An issue was discovered in Mattermost Desktop App before 4.2.2. It allows attackers to execute arbitrary code via a crafted link.
8.8CVSS
8.8AI Score
0.003EPSS
An issue was discovered in Mattermost Server before 5.13.0. Non-members may fetch a team's slash commands.
7.5CVSS
7.4AI Score
0.001EPSS
An issue was discovered in Mattermost Server before 5.13.0. Incoming webhook creation is not properly restricted.
7.5CVSS
7.5AI Score
0.001EPSS
An issue was discovered in Mattermost Plugins before 5.13.0. The GitHub plugin allows an attacker to attach his Mattermost account to a different person's GitHub account.
7.5CVSS
7.5AI Score
0.001EPSS
An issue was discovered in Mattermost Server before 5.12.0, 5.11.1, 5.10.2, 5.9.2, and 4.10.10. The login page allows CSRF.
8.8CVSS
8.6AI Score
0.001EPSS
An issue was discovered in Mattermost Server before 5.12.0. Use of a Proxy HTTP header, rather than the source address in an IP packet header, for obtaining IP address information was mishandled.
5.3CVSS
5.2AI Score
0.001EPSS
An issue was discovered in Mattermost Server before 5.11.0. An attacker can interfere with a channel's post loading via one crafted post.
5.3CVSS
5.2AI Score
0.001EPSS
An issue was discovered in Mattermost Server before 5.11.0. Invite IDs were improperly generated.
7.5CVSS
7.5AI Score
0.001EPSS
An issue was discovered in Mattermost Server before 5.10.0, 5.9.1, 5.8.2, and 4.10.9. A non-member could change the Update/Patch Channel endpoint for a private channel.
5.3CVSS
5.2AI Score
0.001EPSS
An issue was discovered in Mattermost Server before 5.10.0. An attacker can bypass the intended appearance of the Edited flag after changing a post's file ID.
4.3CVSS
4.6AI Score
0.001EPSS
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. The Markdown library allows catastrophic backtracking.
7.5CVSS
7.5AI Score
0.001EPSS
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. SSRF can attack local services.
5.5CVSS
5.4AI Score
0.0004EPSS
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information during user activation/deactivation.
6.5CVSS
6.2AI Score
0.001EPSS
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information during a role change.
7.5CVSS
7.2AI Score
0.002EPSS
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows a password reset to proceed while an e-mail address is being changed.
5.3CVSS
5.3AI Score
0.001EPSS
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. Users can deactivate themselves, bypassing a policy.
5.4CVSS
5.4AI Score
0.001EPSS
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information about whether someone has 2FA enabled.
5.3CVSS
5AI Score
0.001EPSS
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. Changes, within the application, to e-mail addresses are mishandled.
4.3CVSS
4.6AI Score
0.001EPSS
An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6.5, and 4.10.7. Changes to e-mail addresses do not require credential re-entry.
4.3CVSS
4.6AI Score
0.001EPSS
An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6.5, and 4.10.7. It allows attackers to cause a denial of service (memory consumption) via OpenGraph.
7.5CVSS
7.3AI Score
0.001EPSS
An issue was discovered in Mattermost Server before 5.8.0. It mishandles brute-force attacks against MFA.
7.3CVSS
7.1AI Score
0.001EPSS
An issue was discovered in Mattermost Server before 5.8.0. It does not honor the domain requirement when processing a join request for an open team.
5.3CVSS
5.2AI Score
0.001EPSS
An issue was discovered in Mattermost Server before 5.8.0, when Town Square is set to Read-Only. Users can pin or unpin a post.
4.3CVSS
4.5AI Score
0.001EPSS
An issue was discovered in Mattermost Server before 5.8.0. It allows attackers to partially attach a file to more than one post.
5.3CVSS
5.2AI Score
0.001EPSS
An issue was discovered in Mattermost Server before 5.8.0. It does not always generate a robots.txt file.
7.5CVSS
7.4AI Score
0.002EPSS
An issue was discovered in Mattermost Server before 5.8.0. The first user is sometimes inadvertently a system admin.
7.5CVSS
7.4AI Score
0.001EPSS
An issue was discovered in Mattermost Server before 5.7.1, 5.6.4, 5.5.3, and 4.10.6. It does not honor flags API permissions when deciding whether a user can receive intra-team posts.
4.3CVSS
4.6AI Score
0.001EPSS
An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It allows attackers to cause a denial of service (memory consumption) via an outgoing webhook or a slash command integration.
7.5CVSS
7.5AI Score
0.001EPSS
An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It mishandles permissions for user-access token creation.
5.3CVSS
5.3AI Score
0.001EPSS
An issue was discovered in Mattermost Server before 5.7. It allows a bypass of e-mail address discovery restrictions.
4.3CVSS
4.6AI Score
0.001EPSS
An issue was discovered in Mattermost Mobile Apps before 1.31.2 on iOS. Unintended third-party servers could sometimes obtain authorization tokens, aka MMSA-2020-0022.
7.5CVSS
7.5AI Score
0.002EPSS
An issue was discovered in Mattermost Server before 5.23.0. Large webhook requests allow attackers to cause a denial of service (infinite loop), aka MMSA-2020-0021.
7.5CVSS
7.3AI Score
0.001EPSS
An issue was discovered in Mattermost Server before 5.23.0. Automatic direct message replies allow attackers to cause a denial of service (infinite loop), aka MMSA-2020-0020.
7.5CVSS
7.3AI Score
0.001EPSS
An issue was discovered in Mattermost Mobile Apps before 1.30.0. Authorization tokens can sometimes be disclosed to third-party servers, aka MMSA-2020-0018.
7.5CVSS
7.4AI Score
0.002EPSS
An issue was discovered in Mattermost Server before 5.22.0. The markdown renderer allows attackers to cause a denial of service (client-side), aka MMSA-2020-0017.
7.5CVSS
7.3AI Score
0.001EPSS
An issue was discovered in Mattermost Mobile Apps before 1.29.0. The iOS app allowed Single Sign-On cookies and Local Storage to remain after a logout, aka MMSA-2020-0013.
7.5CVSS
7.1AI Score
0.002EPSS