Mattermost Security Vulnerabilities

CVE-2021-37865

Mattermost 6.2 and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which allows authenticated users to cause resource exhaustion while processing the file, resulting in server-side Denial of...

CVE-2021-37866

Mattermost Boards plugin v0.10.0 and earlier fails to invalidate a session on the server-side when a user logged out of Boards, which allows an attacker to reuse old session token for...

CVE-2021-37863

Mattermost 6.0 and earlier fails to sufficiently validate parameters during post creation, which allows authenticated attackers to cause a client-side crash of the web application via a maliciously crafted...

CVE-2021-37862

Mattermost 6.0 and earlier fails to sufficiently validate the email address during registration, which allows attackers to trick users into signing up using attacker-controlled email addresses via crafted invitation...

CVE-2021-37861

Mattermost 6.0.2 and earlier fails to sufficiently sanitize user's password in audit logs when user creation...

CVE-2021-37860

Mattermost 5.38 and earlier fails to sufficiently sanitize clipboard contents, which allows a user-assisted attacker to inject arbitrary web script in product deployments that explicitly disable the default...

CVE-2021-37859

Fixed a bypass for a reflected cross-site scripting vulnerability affecting OAuth-enabled instances of...

CVE-2020-13891

An issue was discovered in Mattermost Mobile Apps before 1.31.2 on iOS. Unintended third-party servers could sometimes obtain authorization tokens, aka...

CVE-2017-18906

An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when Single Sign-On OAuth2 is used. An attacker could claim somebody else's...

CVE-2017-18915

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. After a restart of a server, an attacker might suddenly gain API Endpoint...

CVE-2017-18916

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. API endpoint access control does not honor an integration permission...

CVE-2017-18918

An issue was discovered in Mattermost Server before 3.7.3 and 3.6.5. A System Administrator can place a SAML certificate at an arbitrary...

CVE-2017-18905

An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth 2.0 service provider, Session invalidation was...

CVE-2017-18917

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. Weak hashing was used for e-mail invitations, OAuth, and e-mail verification...

CVE-2017-18907

An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. XSS could occur via a channel...

CVE-2017-18914

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. An external link can occur on an error page even if it is not on an...

CVE-2017-18920

An issue was discovered in Mattermost Server before 3.6.2. The WebSocket feature does not follow the Same Origin...

CVE-2016-11084

An issue was discovered in Mattermost Server before 2.1.0. It allows XSS via...

CVE-2017-18913

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. XSS can occur via a link on an error...

CVE-2017-18908

An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. A password-reset request was sometime sent to an attacker-provided e-mail...

CVE-2017-18919

An issue was discovered in Mattermost Server before 3.7.0 and 3.6.3. Attackers can use the API for unauthenticated team...

CVE-2017-18921

An issue was discovered in Mattermost Server before 3.6.0 and 3.5.2. XSS can occur via a link on an error...

CVE-2016-11071

An issue was discovered in Mattermost Server before 3.1.0. It allows XSS because the noreferrer and noopener protection mechanisms were not in...

CVE-2016-11074

An issue was discovered in Mattermost Server before 3.0.0. A password-reset link could be...

CVE-2016-11077

An issue was discovered in Mattermost Server before 3.0.0. It has a superfluous API in which the System Admin can change the account name and e-mail address of an LDAP...

CVE-2016-11072

An issue was discovered in Mattermost Server before 3.0.2. The purposes of a session ID and a Session Token were...

CVE-2016-11075

An issue was discovered in Mattermost Server before 3.0.0. It allows attackers to obtain sensitive information about team URLs via an...

CVE-2016-11080

An issue was discovered in Mattermost Server before 3.0.0. It offers superfluous APIs for a Team Administrator to view account...

CVE-2016-11083

An issue was discovered in Mattermost Server before 2.2.0. It allows XSS because it configures files to be opened in a browser...

CVE-2016-11069

An issue was discovered in Mattermost Server before 3.2.0. It mishandles brute-force attempts at password...

CVE-2016-11070

An issue was discovered in Mattermost Server before 3.1.0. It allows XSS via theme color-code...

CVE-2016-11076

An issue was discovered in Mattermost Server before 3.0.0. It does not ensure that a cookie is used over...

CVE-2016-11079

An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a redirect...

CVE-2016-11082

An issue was discovered in Mattermost Server before 2.2.0. It allows XSS via a crafted...

CVE-2016-11073

An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a Legal or Support...

CVE-2016-11078

An issue was discovered in Mattermost Server before 3.0.0. It potentially allows attackers to obtain sensitive information (credential fields within config.json) via the System Console...

CVE-2016-11081

An issue was discovered in Mattermost Server before 2.2.0. It allows unintended access to information stored by a web...

CVE-2016-11065

An issue was discovered in Mattermost Server before 3.3.0. An attacker could use the WebSocket feature to send pop-up messages to users or change a post's...

CVE-2016-11062

An issue was discovered in Mattermost Server before 3.5.1. E-mail address verification can be...

CVE-2016-11067

An issue was discovered in Mattermost Server before 3.2.0. It allowed crafted posts that could cause a web browser to...

CVE-2016-11066

An issue was discovered in Mattermost Server before 3.2.0. The initial_load API disclosed unnecessary personal...

CVE-2016-11068

An issue was discovered in Mattermost Server before 3.2.0. Attackers could read LDAP fields via...

CVE-2016-11063

An issue was discovered in Mattermost Server before 3.5.1. XSS can occur via file...

CVE-2016-11064

An issue was discovered in Mattermost Desktop App before 3.4.0. Strings could be executed as code via...

CVE-2015-9548

An issue was discovered in Mattermost Server before 1.2.0. It allows attackers to cause a denial of service (memory consumption) via a small compressed file that has a large size when...

CVE-2017-18898

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows crafted posts that potentially cause a web browser to...

CVE-2017-18897

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. It mishandles a deny action for a...

CVE-2017-18901

An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover a team invite ID by requesting a JSON...

CVE-2017-18902

An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API...

CVE-2017-18912

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. It allows an attacker to specify a full pathname of a log...