Lucene search
K
Database
Vendors
Products
Timeline
Vulnerabilities
Perimeter Scanner
Scanning
Projects
Scanner
Agent Scanning
API Scanning
Manual Audit
Email
Webhook
Resources
Documents
Blog
Glossary
FAQ
Plugins
Pricing
Contacts
About Us
Partners
Branding Guideline
Settings
Sign in
MattermostMattermost Server

253 matches found

CVE
CVEadded 2020/06/19 8:15 p.m.28 views

CVE-2016-11066

An issue was discovered in Mattermost Server before 3.2.0. The initial_load API disclosed unnecessary personal information.

7.5CVSS7.5AI score0.00322EPSS
CVE
CVEadded 2020/06/19 8:15 p.m.28 views

CVE-2016-11070

An issue was discovered in Mattermost Server before 3.1.0. It allows XSS via theme color-code values.

5.4CVSS5.1AI score0.00343EPSS
CVE
CVEadded 2020/06/19 5:15 p.m.28 views

CVE-2017-18877

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS attacks could occur against an OAuth 2.0 allow/deny page.

6.1CVSS5.9AI score0.00359EPSS
CVE
CVEadded 2020/06/19 7:15 p.m.28 views

CVE-2017-18900

An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows CSV injection via a compliance report.

9.8CVSS9.4AI score0.00647EPSS
CVE
CVEadded 2020/06/19 5:15 p.m.28 views

CVE-2018-21261

An issue was discovered in Mattermost Server before 4.8.1, 4.7.4, and 4.6.3. An e-mail invite accidentally included the team invite_id, which leads to unintended excessive invitation privileges.

4.3CVSS4.6AI score0.00152EPSS
CVE
CVEadded 2020/06/19 2:15 p.m.28 views

CVE-2019-20846

An issue was discovered in Mattermost Server before 5.18.0. It has weak permissions for server-local file storage.

7.5CVSS7.5AI score0.00209EPSS
CVE
CVEadded 2020/06/19 3:15 p.m.28 views

CVE-2019-20854

An issue was discovered in Mattermost Server before 5.17.0. It allows remote attackers to cause a denial of service (client-side application crash) via a LaTeX message.

7.5CVSS7.3AI score0.00598EPSS
CVE
CVEadded 2020/06/19 3:15 p.m.28 views

CVE-2019-20862

An issue was discovered in Mattermost Server before 5.13.0. Non-members may fetch a team's slash commands.

7.5CVSS7.4AI score0.00241EPSS
CVE
CVEadded 2020/06/19 4:15 p.m.28 views

CVE-2019-20865

An issue was discovered in Mattermost Server before 5.12.0, 5.11.1, 5.10.2, 5.9.2, and 4.10.10. The login page allows CSRF.

8.8CVSS8.6AI score0.00171EPSS
CVE
CVEadded 2020/06/19 4:15 p.m.28 views

CVE-2019-20867

An issue was discovered in Mattermost Server before 5.11.0. An attacker can interfere with a channel's post loading via one crafted post.

5.3CVSS5.2AI score0.00241EPSS
CVE
CVEadded 2020/06/19 5:15 p.m.28 views

CVE-2019-20890

An issue was discovered in Mattermost Server before 5.7. It allows a bypass of e-mail address discovery restrictions.

4.3CVSS4.6AI score0.00226EPSS
CVE
CVEadded 2020/06/19 2:15 p.m.28 views

CVE-2020-14447

An issue was discovered in Mattermost Server before 5.23.0. Large webhook requests allow attackers to cause a denial of service (infinite loop), aka MMSA-2020-0021.

7.5CVSS7.3AI score0.00389EPSS
CVE
CVEadded 2024/08/22 4:15 p.m.28 views

CVE-2024-40884

Mattermost versions 9.5.x <= 9.5.7, 9.10.x

2.7CVSS6.8AI score0.00171EPSS
CVE
CVEadded 2020/06/19 7:15 p.m.27 views

CVE-2017-18899

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It mishandles IP-based rate limiting.

5.3CVSS5.3AI score0.00377EPSS
CVE
CVEadded 2020/06/19 8:15 p.m.27 views

CVE-2017-18917

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. Weak hashing was used for e-mail invitations, OAuth, and e-mail verification tokens.

7.5CVSS7.5AI score0.00151EPSS
CVE
CVEadded 2020/06/19 5:15 p.m.27 views

CVE-2018-21250

An issue was discovered in Mattermost Server before 5.2.2, 5.1.2, and 4.10.4. It allows remote attackers to cause a denial of service (memory consumption) via crafted image dimensions.

6.5CVSS6.3AI score0.00388EPSS
CVE
CVEadded 2020/06/19 6:15 p.m.27 views

CVE-2018-21252

An issue was discovered in Mattermost Server before 5.2, 5.1.1, 5.0.3, and 4.10.3. Attackers could use multiple e-mail addresses to bypass a domain-based policy for signups.

4.3CVSS4.6AI score0.00152EPSS
CVE
CVEadded 2020/06/19 5:15 p.m.27 views

CVE-2018-21259

An issue was discovered in Mattermost Server before 4.10.1, 4.9.4, and 4.8.2. It allows attackers to cause a denial of service (application hang) via a malformed link in a channel.

5.3CVSS5.2AI score0.00377EPSS
CVE
CVEadded 2020/06/19 2:15 p.m.27 views

CVE-2019-20847

An issue was discovered in Mattermost Server before 5.18.0. An attacker can send a user_typing WebSocket event to any channel.

5.3CVSS5.2AI score0.00241EPSS
CVE
CVEadded 2020/06/19 3:15 p.m.27 views

CVE-2019-20857

An issue was discovered in Mattermost Server before 5.16.0. It allows attackers to cause a denial of service (markdown renderer hang) via many backtick characters.

7.5CVSS7.3AI score0.00389EPSS
CVE
CVEadded 2020/06/19 3:15 p.m.27 views

CVE-2019-20860

An issue was discovered in Mattermost Server before 5.14.0, 5.13.3, 5.12.6, and 5.9.4. It allows remote attackers to cause a denial of service (application hang) via a crafted SVG document.

5.5CVSS5.4AI score0.00241EPSS
CVE
CVEadded 2020/06/19 5:15 p.m.27 views

CVE-2019-20882

An issue was discovered in Mattermost Server before 5.8.0. It does not honor the domain requirement when processing a join request for an open team.

5.3CVSS5.2AI score0.00195EPSS
CVE
CVEadded 2020/06/19 5:15 p.m.27 views

CVE-2019-20888

An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It allows attackers to cause a denial of service (memory consumption) via an outgoing webhook or a slash command integration.

7.5CVSS7.5AI score0.00389EPSS
CVE
CVEadded 2023/07/17 4:15 p.m.27 views

CVE-2023-3585

Mattermost Boards fail to properly validate a board link, allowing an attacker to crash a channel by posting a specially crafted boards link.

4.3CVSS4.5AI score0.00135EPSS
CVE
CVEadded 2023/07/17 4:15 p.m.27 views

CVE-2023-3591

Mattermost fails to invalidate previously generated password reset tokens when a new reset token was created.

8.2CVSS6.4AI score0.00199EPSS
CVE
CVEadded 2020/06/19 5:15 p.m.26 views

CVE-2017-18871

An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, 4.3.4, and 4.2.2. It allows attackers to cause a denial of service (application crash) via an @ character before a JavaScript field name.

7.5CVSS7.3AI score0.00536EPSS
CVE
CVEadded 2020/06/19 7:15 p.m.26 views

CVE-2017-18892

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. E-mail templates can have a field in which HTML content is not neutralized.

6.1CVSS6.2AI score0.00243EPSS
CVE
CVEadded 2020/06/19 7:15 p.m.26 views

CVE-2017-18902

An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints.

5.3CVSS5.2AI score0.00237EPSS
CVE
CVEadded 2020/06/19 7:15 p.m.26 views

CVE-2017-18911

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. The X.509 certificate validation can be skipped for a TLS-based e-mail server.

9.1CVSS9.1AI score0.00136EPSS
CVE
CVEadded 2020/06/19 7:15 p.m.26 views

CVE-2017-18912

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. It allows an attacker to specify a full pathname of a log file.

9.8CVSS9.2AI score0.00733EPSS
CVE
CVEadded 2020/06/19 5:15 p.m.26 views

CVE-2018-21251

An issue was discovered in Mattermost Server before 5.2 and 5.1.1. Authorization could be bypassed if the channel name were not the same in the params and the body.

9.8CVSS9.4AI score0.00408EPSS
CVE
CVEadded 2020/06/19 5:15 p.m.26 views

CVE-2018-21257

An issue was discovered in Mattermost Server before 5.1. It allows attackers to bypass intended access restrictions (for setting a channel header) via the Channel header slash command API.

5.3CVSS5.3AI score0.00195EPSS
CVE
CVEadded 2020/06/19 5:15 p.m.26 views

CVE-2018-21260

An issue was discovered in Mattermost Server before 4.8.1, 4.7.4, and 4.6.3. WebSocket events were accidentally sent during certain user-management operations, violating user privacy.

4CVSS4.1AI score0.00232EPSS
CVE
CVEadded 2020/06/19 5:15 p.m.26 views

CVE-2018-21263

An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. An attacker could authenticate to a different user's account via a crafted SAML response.

8.8CVSS8.4AI score0.00336EPSS
CVE
CVEadded 2020/06/19 5:15 p.m.26 views

CVE-2019-20875

An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows a password reset to proceed while an e-mail address is being changed.

5.3CVSS5.3AI score0.00195EPSS
CVE
CVEadded 2020/06/19 5:15 p.m.26 views

CVE-2019-20885

An issue was discovered in Mattermost Server before 5.8.0. It does not always generate a robots.txt file.

7.5CVSS7.4AI score0.00276EPSS
CVE
CVEadded 2023/07/17 4:15 p.m.26 views

CVE-2023-3577

Mattermost fails to properly restrict requests to localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited blind SSRF.

4.3CVSS4.2AI score0.00158EPSS
CVE
CVEadded 2023/12/12 9:15 a.m.26 views

CVE-2023-49874

Mattermost fails to check whether a user is a guest when updating the tasks of a private playbook run allowing a guest to update the tasks of a private playbook run if they know the run ID.

4.3CVSS4.5AI score0.00144EPSS
CVE
CVEadded 2023/12/12 9:15 a.m.26 views

CVE-2023-6547

Mattermost fails to validate team membership when a user attempts to access a playbook, allowing a user with permissions to a playbook but no permissions to the team the playbook is on to access and modify the playbook. This can happen if the user was once a member of the team, got permissions to t...

5.4CVSS4.7AI score0.00211EPSS
CVE
CVEadded 2020/06/19 7:15 p.m.25 views

CVE-2017-18897

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. It mishandles a deny action for a redirection.

6.1CVSS6.2AI score0.00197EPSS
CVE
CVEadded 2020/06/19 7:15 p.m.25 views

CVE-2017-18901

An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover a team invite ID by requesting a JSON document.

5.3CVSS5.2AI score0.00237EPSS
CVE
CVEadded 2020/06/19 8:15 p.m.25 views

CVE-2017-18920

An issue was discovered in Mattermost Server before 3.6.2. The WebSocket feature does not follow the Same Origin Policy.

9.8CVSS9.4AI score0.00504EPSS
CVE
CVEadded 2020/06/19 8:15 p.m.25 views

CVE-2017-18921

An issue was discovered in Mattermost Server before 3.6.0 and 3.5.2. XSS can occur via a link on an error page.

6.1CVSS5.9AI score0.00359EPSS
CVE
CVEadded 2020/06/19 5:15 p.m.25 views

CVE-2018-21258

An issue was discovered in Mattermost Server before 5.1. It allows attackers to cause a denial of service via the invite_people slash command.

7.5CVSS7.3AI score0.005EPSS
CVE
CVEadded 2023/07/17 4:15 p.m.25 views

CVE-2023-3613

Mattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing guest accounts to be added or invited to channels by default.

3.5CVSS3.8AI score0.00117EPSS
CVE
CVEadded 2023/12/12 9:15 a.m.25 views

CVE-2023-46701

Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plugin allowing an attacker to get limited information about a post if they know the post ID

6.5CVSS5.6AI score0.00192EPSS
CVE
CVEadded 2023/07/17 4:15 p.m.23 views

CVE-2023-3614

Mattermost fails to properly validate a gif image file, allowing an attacker to consume a significant amount of server resources, making the server unresponsive for an extended period of time by linking to specially crafted image file.

4.3CVSS4.3AI score0.0007EPSS
CVE
CVEadded 2023/12/12 9:15 a.m.22 views

CVE-2023-45847

Mattermost fails to to check the length when setting the title in a run checklist in Playbooks, allowing an attacker to send a specially crafted request and crash the Playbooks plugin

7.5CVSS5.7AI score0.00129EPSS
CVE
CVEadded 2023/07/17 4:15 p.m.20 views

CVE-2023-3587

Mattermost fails to properly show information in the UI, allowing a system admin to modify a board state allowing any user with a valid sharing link to join the board with editor access, without the UI showing the updated permissions.

2.7CVSS3.3AI score0.0006EPSS
CVE
CVEadded 2025/06/30 5:15 p.m.9 views

CVE-2025-47871

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x

5.4CVSS6AI score0.0003EPSS
Total number of security vulnerabilities253