Mattermost Server Security Vulnerabilities and Issues — Page 2 of Mattermost Server CVE List

Lucene search

MattermostMattermost Server

253 matches found

CVE•added 2024/03/15 10:15 a.m.•53 views

CVE-2024-2445

Mattermost Jira plugin versions shipped with Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to escape user-controlled outputs when generating HTML pages, which allows an attacker to perform reflected cross-site scripting attacks against ...

6.1CVSS6AI score0.0032EPSS

CVE•added 2024/04/26 9:15 a.m.•53 views

CVE-2024-4182

Mattermost versions 9.6.0, 9.5.x before 9.5.3, 9.4.x before 9.4.5, and 8.1.x before 8.1.12 fail to handle JSON parsing errors in custom status values, which allows an authenticated attacker to crash other users' web clients via a malformed custom status.

4.3CVSS6.4AI score0.00193EPSS

CVE•added 2023/10/09 11:15 a.m.•52 views

CVE-2023-5331

Mattermost fails to properly check the creator of an attached file when adding the file to a draft post, potentially exposing unauthorized file information.

5.3CVSS4.7AI score0.00167EPSS

CVE•added 2024/03/15 10:15 a.m.•52 views

CVE-2024-2446

Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to limit the number of @-mentions processed per message, allowing an authenticated attacker to crash the client applications of other users via large, crafted messages.

4.3CVSS4.5AI score0.00132EPSS

CVE•added 2020/06/19 7:15 p.m.•51 views

CVE-2017-18885

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by accessing unintended API endpoints on a user's behalf.

9.8CVSS9.5AI score0.00408EPSS

CVE•added 2023/05/12 9:15 a.m.•51 views

CVE-2023-2515

Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin

8.8CVSS6.3AI score0.00096EPSS

CVE•added 2022/09/23 3:15 p.m.•50 views

CVE-2022-3257

Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which allows authenticated users to cause resource exhaustion while processing the file, resulting in server-side Denial of Service.

6.5CVSS4.8AI score0.0036EPSS

CVE•added 2023/10/09 11:15 a.m.•50 views

CVE-2023-5333

Mattermost fails to deduplicate input IDs allowing a simple user to cause the application to consume excessive resources and possibly crash by sending a specially crafted request to /api/v4/users/ids with multiple identical IDs.

6.5CVSS5.3AI score0.00118EPSS

CVE•added 2024/08/01 3:15 p.m.•50 views

CVE-2024-41926

Mattermost versions 9.9.x <= 9.9.0 and 9.5.x

4.3CVSS4.1AI score0.00073EPSS

CVE•added 2024/11/09 6:15 p.m.•49 views

CVE-2024-52032

Mattermost versions 10.0.x <= 10.0.0 and 9.11.x

4.3CVSS4.5AI score0.00078EPSS

CVE•added 2025/03/21 9:15 a.m.•49 views

CVE-2025-27715

Mattermost versions 9.11.x

3.3CVSS4AI score0.00049EPSS

CVE•added 2023/03/15 11:15 p.m.•48 views

CVE-2023-1421

A reflected cross-site scripting vulnerability in the OAuth flow completion endpoints in Mattermost allows an attacker to send AJAX requests on behalf of the victim via sharing a crafted link with a malicious state parameter.

6.1CVSS4.7AI score0.00743EPSS

CVE•added 2023/03/31 12:15 p.m.•48 views

CVE-2023-1777

Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message.

6.5CVSS5.6AI score0.00181EPSS

CVE•added 2024/04/05 9:15 a.m.•48 views

CVE-2024-28949

Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 don't limit the number of user preferences which allows an attacker to send a large number of user preferences potentially causing denial of service.

6.5CVSS4.5AI score0.00118EPSS

CVE•added 2025/03/21 9:15 a.m.•48 views

CVE-2025-24920

Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x

4.3CVSS4.5AI score0.00049EPSS

CVE•added 2020/06/19 8:15 p.m.•47 views

CVE-2015-9548

An issue was discovered in Mattermost Server before 1.2.0. It allows attackers to cause a denial of service (memory consumption) via a small compressed file that has a large size when uncompressed.

7.5CVSS7.3AI score0.00389EPSS

CVE•added 2021/12/17 5:15 p.m.•47 views

CVE-2021-37862

Mattermost 6.0 and earlier fails to sufficiently validate the email address during registration, which allows attackers to trick users into signing up using attacker-controlled email addresses via crafted invitation token.

5.8CVSS5.4AI score0.00168EPSS

CVE•added 2024/03/15 9:15 a.m.•47 views

CVE-2024-28053

Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit the size of the payload that can be read and parsed allowing an attacker to send a very large email payload and crash the server.

6.5CVSS4AI score0.00056EPSS

CVE•added 2024/04/26 9:15 a.m.•46 views

CVE-2024-4198

Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes which allows an attacker authenticated as team admin to demote users to guest via crafted HTTP requests.

2.7CVSS3.7AI score0.00133EPSS

CVE•added 2023/02/27 3:15 p.m.•45 views

CVE-2023-27265

Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the "Regenerate Invite Id" API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response.

2.7CVSS3.5AI score0.00153EPSS

CVE•added 2021/12/17 5:15 p.m.•44 views

CVE-2021-37863

Mattermost 6.0 and earlier fails to sufficiently validate parameters during post creation, which allows authenticated attackers to cause a client-side crash of the web application via a maliciously crafted post.

5.7CVSS5.3AI score0.00572EPSS

CVE•added 2023/10/09 11:15 a.m.•44 views

CVE-2023-5330

Mattermost fails to enforce a limit for the size of the cache entry for OpenGraph data allowing an attacker to send a specially crafted request to the /api/v4/opengraph filling the cache and turning the server unavailable.

7.5CVSS5.7AI score0.00118EPSS

CVE•added 2024/08/01 3:15 p.m.•44 views

CVE-2024-39837

Mattermost versions 9.9.x <= 9.9.0, 9.5.x

5.4CVSS7.2AI score0.00109EPSS

CVE•added 2024/04/26 9:15 a.m.•43 views

CVE-2024-22091

Mattermost versions 8.1.x <= 8.1.10, 9.6.x <= 9.6.0, 9.5.x <= 9.5.2 and 8.1.x

6.5CVSS6.7AI score0.00138EPSS

CVE•added 2024/04/05 9:15 a.m.•43 views

CVE-2024-2447

Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x before 9.4.4, and 9.5.x before 9.5.2 fail to authenticate the source of certain types of post actions, allowing an authenticated attacker to create posts as other users via a crafted post action.

6.5CVSS6.2AI score0.00189EPSS

CVE•added 2024/08/01 3:15 p.m.•43 views

CVE-2024-41144

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x

7.1CVSS7.1AI score0.00168EPSS

CVE•added 2020/06/19 8:15 p.m.•42 views

CVE-2016-11069

An issue was discovered in Mattermost Server before 3.2.0. It mishandles brute-force attempts at password change.

7.5CVSS7.6AI score0.00195EPSS

CVE•added 2020/06/19 8:15 p.m.•42 views

CVE-2016-11083

An issue was discovered in Mattermost Server before 2.2.0. It allows XSS because it configures files to be opened in a browser window.

6.1CVSS5.8AI score0.00359EPSS

CVE•added 2023/03/31 12:15 p.m.•41 views

CVE-2023-1775

When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients.

6.5CVSS5.2AI score0.00176EPSS

CVE•added 2024/09/26 8:15 a.m.•41 views

CVE-2024-42406

Mattermost versions 9.11.x <= 9.11.0, 9.10.x <= 9.10.1, 9.9.x <= 9.9.2 and 9.5.x

5.4CVSS5.3AI score0.0008EPSS

CVE•added 2020/06/19 8:15 p.m.•40 views

CVE-2016-11081

An issue was discovered in Mattermost Server before 2.2.0. It allows unintended access to information stored by a web browser.

4.3CVSS4.4AI score0.00226EPSS

CVE•added 2020/06/19 8:15 p.m.•40 views

CVE-2017-18907

An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. XSS could occur via a channel header.

6.1CVSS5.8AI score0.00359EPSS

CVE•added 2020/06/19 8:15 p.m.•40 views

CVE-2017-18916

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. API endpoint access control does not honor an integration permission restriction.

5.3CVSS5.2AI score0.00195EPSS

CVE•added 2020/06/19 2:15 p.m.•40 views

CVE-2020-14452

An issue was discovered in Mattermost Server before 5.21.0. mmctl allows directory traversal via HTTP, aka MMSA-2020-0014.

5.3CVSS5.3AI score0.00144EPSS

CVE•added 2023/03/31 12:15 p.m.•40 views

CVE-2023-1774

When processing an email invite to a private channel on a team, Mattermost fails to validate the inviter's permission to that channel, allowing an attacker to invite themselves to a private channel.

5.4CVSS4.6AI score0.00152EPSS

CVE•added 2024/08/01 3:15 p.m.•40 views

CVE-2024-39839

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x

4.3CVSS7AI score0.00108EPSS

CVE•added 2024/08/22 4:15 p.m.•40 views

CVE-2024-42497

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x

6CVSS6AI score0.00137EPSS

CVE•added 2024/09/26 8:15 a.m.•40 views

CVE-2024-45843

Mattermost versions 9.5.x

5.4CVSS4.1AI score0.0006EPSS

CVE•added 2025/05/30 3:15 p.m.•40 views

CVE-2025-3611

Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x

4.3CVSS3.9AI score0.00034EPSS

CVE•added 2020/06/19 8:15 p.m.•39 views

CVE-2016-11075

An issue was discovered in Mattermost Server before 3.0.0. It allows attackers to obtain sensitive information about team URLs via an API.

5.3CVSS4.9AI score0.00237EPSS

CVE•added 2024/09/26 8:15 a.m.•39 views

CVE-2024-47145

Mattermost versions 9.5.x

4.3CVSS4AI score0.0006EPSS

CVE•added 2020/06/19 8:15 p.m.•38 views

CVE-2016-11076

An issue was discovered in Mattermost Server before 3.0.0. It does not ensure that a cookie is used over SSL.

5.3CVSS5.2AI score0.00203EPSS

CVE•added 2020/06/19 7:15 p.m.•38 views

CVE-2017-18880

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via the title_link field of a Slack attachment.

6.1CVSS5.9AI score0.00359EPSS

CVE•added 2020/06/19 7:15 p.m.•38 views

CVE-2017-18883

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2, when serving as an OAuth 2.0 Service Provider. There is low entropy for authorization data.

9.1CVSS9.2AI score0.00313EPSS

CVE•added 2020/06/19 5:15 p.m.•38 views

CVE-2018-21254

An issue was discovered in Mattermost Server before 5.1. An attacker can bypass intended access control (for direct-message channel creation) via the Message slash command.

4.3CVSS4.7AI score0.00152EPSS

CVE•added 2020/06/19 3:15 p.m.•38 views

CVE-2019-20858

An issue was discovered in Mattermost Server before 5.15.0. It allows attackers to cause a denial of service (CPU consumption) via crafted characters in a SQL LIKE clause to an APIv4 endpoint.

7.5CVSS7.5AI score0.00389EPSS

CVE•added 2020/06/19 2:15 p.m.•38 views

CVE-2020-14458

An issue was discovered in Mattermost Server before 5.19.0. Attackers can discover private channels via the "get channel by name" API, aka MMSA-2020-0004.

7.5CVSS7.5AI score0.00322EPSS

CVE•added 2020/06/19 8:15 p.m.•37 views

CVE-2016-11068

An issue was discovered in Mattermost Server before 3.2.0. Attackers could read LDAP fields via injection.

5.3CVSS5.5AI score0.0035EPSS

CVE•added 2020/06/19 8:15 p.m.•37 views

CVE-2017-18905

An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth 2.0 service provider, Session invalidation was mishandled.

5.3CVSS5.3AI score0.00195EPSS

CVE•added 2020/06/19 8:15 p.m.•37 views

CVE-2017-18919

An issue was discovered in Mattermost Server before 3.7.0 and 3.6.3. Attackers can use the API for unauthenticated team creation.

5.3CVSS5.3AI score0.00224EPSS

Total number of security vulnerabilities253