Mattermost Server Security Vulnerabilities and Issues — Mattermost Server CVE List

Lucene search

MattermostMattermost Server

11 matches found

CVE•added 2023/12/06 9:15 a.m.•142 views

CVE-2023-6458

Mattermost webapp fails to validate route parameters in//channels/ allowing an attacker to perform a client-side path traversal.

9.8CVSS8AI score0.00397EPSS

CVE•added 2023/12/06 9:15 a.m.•125 views

CVE-2023-6459

Mattermost is grouping calls in the /metrics endpoint by id and reports that id in the response. Since this id is the channelID, the public /metrics endpoint is revealing channelIDs.

5.3CVSS5.1AI score0.00322EPSS

CVE•added 2023/12/29 1:15 p.m.•125 views

CVE-2023-7113

Mattermost version 8.1.6 and earlier fails to sanitize channel mention data in posts, which allows an attacker to inject markup in the web client.

6.1CVSS6.1AI score0.00556EPSS

CVE•added 2023/12/12 9:15 a.m.•61 views

CVE-2023-45316

Mattermost fails to validate if a relative path is passed in /plugins/playbooks/api/v0/telemetry/run/ as a telemetry run ID, allowing an attacker to use a path traversal payload that points to a different endpoint leading to a CSRF attack.

8.8CVSS7.9AI score0.002EPSS

CVE•added 2023/12/12 9:15 a.m.•32 views

CVE-2023-49809

Mattermost fails to handle a null request body in the /add endpoint, allowing a simple member to send a request with null request body to that endpoint and make it crash. After a few repetitions, the plugin is disabled.

6.5CVSS5.3AI score0.00129EPSS

CVE•added 2023/12/12 11:15 a.m.•30 views

CVE-2023-6727

Mattermost fails to perform correct authorization checks when creating a playbook action, allowing users without access to the playbook to create playbook actions. If the playbook action created is to post a message in a channel based on specific keywords in a post, some playbook information, like ...

4.3CVSS4.2AI score0.00251EPSS

CVE•added 2023/12/12 9:15 a.m.•29 views

CVE-2023-49607

Mattermost fails to validate the type of the "reminder" body request parameter allowing an attacker to crash the Playbook Plugin when updating the status dialog.

7.5CVSS5.8AI score0.00111EPSS

CVE•added 2023/12/12 9:15 a.m.•26 views

CVE-2023-49874

Mattermost fails to check whether a user is a guest when updating the tasks of a private playbook run allowing a guest to update the tasks of a private playbook run if they know the run ID.

4.3CVSS4.5AI score0.00144EPSS

CVE•added 2023/12/12 9:15 a.m.•26 views

CVE-2023-6547

Mattermost fails to validate team membership when a user attempts to access a playbook, allowing a user with permissions to a playbook but no permissions to the team the playbook is on to access and modify the playbook. This can happen if the user was once a member of the team, got permissions to t...

5.4CVSS4.7AI score0.00211EPSS

CVE•added 2023/12/12 9:15 a.m.•25 views

CVE-2023-46701

Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plugin allowing an attacker to get limited information about a post if they know the post ID

6.5CVSS5.6AI score0.00192EPSS

CVE•added 2023/12/12 9:15 a.m.•22 views

CVE-2023-45847

Mattermost fails to to check the length when setting the title in a run checklist in Playbooks, allowing an attacker to send a specially crafted request and crash the Playbooks plugin

7.5CVSS5.7AI score0.00129EPSS