Mattermost Server Security Vulnerabilities and Issues — Mattermost Server CVE List

Lucene search

MattermostMattermost Server

10 matches found

CVE•added 2024/04/05 9:15 a.m.•152 views

CVE-2024-21848

Improper Access Control in Mattermost Server versions 8.1.x before 8.1.11 allows an attacker that is in a channel with an active call to keep participating in the call even if they are removed from the channel

3.1CVSS3.9AI score0.00129EPSS

CVE•added 2024/04/05 9:15 a.m.•76 views

CVE-2024-29221

Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the /api/v4/users/me/teams endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users, eve...

4.7CVSS6.5AI score0.00046EPSS

CVE•added 2024/04/26 9:15 a.m.•76 views

CVE-2024-32046

Mattermost versions 9.6.x <= 9.6.0, 9.5.x <= 9.5.2, 9.4.x <= 9.4.4 and 8.1.x

4.3CVSS6.3AI score0.00097EPSS

CVE•added 2024/04/26 9:15 a.m.•76 views

CVE-2024-4183

Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active sessions, which allows an authenticated attacker to crash the server via repeated requests to the getSessions API after flooding the sessions table.

6.5CVSS6.5AI score0.00174EPSS

CVE•added 2024/04/26 9:15 a.m.•56 views

CVE-2024-4195

Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes, which allows an attacker authenticated as a team admin to promote guests to team admins via crafted HTTP requests.

2.7CVSS6.5AI score0.00139EPSS

CVE•added 2024/04/26 9:15 a.m.•53 views

CVE-2024-4182

Mattermost versions 9.6.0, 9.5.x before 9.5.3, 9.4.x before 9.4.5, and 8.1.x before 8.1.12 fail to handle JSON parsing errors in custom status values, which allows an authenticated attacker to crash other users' web clients via a malformed custom status.

4.3CVSS6.4AI score0.00193EPSS

CVE•added 2024/04/05 9:15 a.m.•48 views

CVE-2024-28949

Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 don't limit the number of user preferences which allows an attacker to send a large number of user preferences potentially causing denial of service.

6.5CVSS4.5AI score0.00118EPSS

CVE•added 2024/04/26 9:15 a.m.•46 views

CVE-2024-4198

Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes which allows an attacker authenticated as team admin to demote users to guest via crafted HTTP requests.

2.7CVSS3.7AI score0.00133EPSS

CVE•added 2024/04/26 9:15 a.m.•43 views

CVE-2024-22091

Mattermost versions 8.1.x <= 8.1.10, 9.6.x <= 9.6.0, 9.5.x <= 9.5.2 and 8.1.x

6.5CVSS6.7AI score0.00138EPSS

CVE•added 2024/04/05 9:15 a.m.•43 views

CVE-2024-2447

Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x before 9.4.4, and 9.5.x before 9.5.2 fail to authenticate the source of certain types of post actions, allowing an authenticated attacker to create posts as other users via a crafted post action.

6.5CVSS6.2AI score0.00189EPSS