42 matches found
CVE-2023-1831
Mattermost fails to redact from audit logs the user password during user creation and the user password hash in other operations if the experimental audit logging configuration was enabled (ExperimentalAuditSettings section in config).
CVE-2022-0903
A call stack overflow bug in the SAML login feature in Mattermost server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted POST body.
CVE-2023-1776
Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file.
CVE-2015-9548
An issue was discovered in Mattermost Server before 1.2.0. It allows attackers to cause a denial of service (memory consumption) via a small compressed file that has a large size when uncompressed.
CVE-2023-5330
Mattermost fails to enforce a limit for the size of the cache entry for OpenGraph data allowing an attacker to send a specially crafted request to the /api/v4/opengraph filling the cache and turning the server unavailable.
CVE-2024-41144
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x
CVE-2016-11069
An issue was discovered in Mattermost Server before 3.2.0. It mishandles brute-force attempts at password change.
CVE-2019-20858
An issue was discovered in Mattermost Server before 5.15.0. It allows attackers to cause a denial of service (CPU consumption) via crafted characters in a SQL LIKE clause to an APIv4 endpoint.
CVE-2020-14458
An issue was discovered in Mattermost Server before 5.19.0. Attackers can discover private channels via the "get channel by name" API, aka MMSA-2020-0004.
CVE-2019-20843
An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. There are weak permissions for configuration files.
CVE-2019-20881
An issue was discovered in Mattermost Server before 5.8.0. It mishandles brute-force attacks against MFA.
CVE-2019-20842
An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. There is SQL injection by admins via SearchAllChannels.
CVE-2020-14459
An issue was discovered in Mattermost Server before 5.19.0. Attackers can rename a channel and cause a collision with a direct message, aka MMSA-2020-0002.
CVE-2019-20855
An issue was discovered in Mattermost Server before 5.16.1, 5.15.2, 5.14.5, and 5.9.6. It allows attackers to obtain sensitive information (local files) during legacy attachment migration.
CVE-2019-20859
An issue was discovered in Mattermost Server before 5.15.0. Login access control can be bypassed via crafted input.
CVE-2019-20868
An issue was discovered in Mattermost Server before 5.11.0. Invite IDs were improperly generated.
CVE-2019-20871
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. The Markdown library allows catastrophic backtracking.
CVE-2019-20880
An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6.5, and 4.10.7. It allows attackers to cause a denial of service (memory consumption) via OpenGraph.
CVE-2020-14453
An issue was discovered in Mattermost Server before 5.21.0. Socket read operations are not appropriately restricted, which allows attackers to cause a denial of service, aka MMSA-2020-0005.
CVE-2023-3590
Mattermost fails to delete card attachments in Boards, allowing an attacker to access deleted attachments.
CVE-2019-20845
An issue was discovered in Mattermost Server before 5.18.0. It allows attackers to cause a denial of service (memory consumption) via a large Slack import.
CVE-2019-20863
An issue was discovered in Mattermost Server before 5.13.0. Incoming webhook creation is not properly restricted.
CVE-2019-20874
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information during a role change.
CVE-2020-14450
An issue was discovered in Mattermost Server before 5.22.0. The markdown renderer allows attackers to cause a denial of service (client-side), aka MMSA-2020-0017.
CVE-2017-18909
An issue was discovered in Mattermost Server before 3.9.0 when SAML is used. Encryption and signature verification are not mandatory.
CVE-2018-21248
An issue was discovered in Mattermost Server before 5.4.0. It mishandles possession of superfluous authentication credentials.
CVE-2018-21262
An issue was discovered in Mattermost Server before 4.7.3. It allows attackers to cause a denial of service (application crash) via invalid LaTeX text.
CVE-2019-20886
An issue was discovered in Mattermost Server before 5.8.0. The first user is sometimes inadvertently a system admin.
CVE-2020-14448
An issue was discovered in Mattermost Server before 5.23.0. Automatic direct message replies allow attackers to cause a denial of service (infinite loop), aka MMSA-2020-0020.
CVE-2023-49607
Mattermost fails to validate the type of the "reminder" body request parameter allowing an attacker to crash the Playbook Plugin when updating the status dialog.
CVE-2016-11066
An issue was discovered in Mattermost Server before 3.2.0. The initial_load API disclosed unnecessary personal information.
CVE-2019-20846
An issue was discovered in Mattermost Server before 5.18.0. It has weak permissions for server-local file storage.
CVE-2019-20854
An issue was discovered in Mattermost Server before 5.17.0. It allows remote attackers to cause a denial of service (client-side application crash) via a LaTeX message.
CVE-2019-20862
An issue was discovered in Mattermost Server before 5.13.0. Non-members may fetch a team's slash commands.
CVE-2020-14447
An issue was discovered in Mattermost Server before 5.23.0. Large webhook requests allow attackers to cause a denial of service (infinite loop), aka MMSA-2020-0021.
CVE-2017-18917
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. Weak hashing was used for e-mail invitations, OAuth, and e-mail verification tokens.
CVE-2019-20857
An issue was discovered in Mattermost Server before 5.16.0. It allows attackers to cause a denial of service (markdown renderer hang) via many backtick characters.
CVE-2019-20888
An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It allows attackers to cause a denial of service (memory consumption) via an outgoing webhook or a slash command integration.
CVE-2017-18871
An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, 4.3.4, and 4.2.2. It allows attackers to cause a denial of service (application crash) via an @ character before a JavaScript field name.
CVE-2019-20885
An issue was discovered in Mattermost Server before 5.8.0. It does not always generate a robots.txt file.
CVE-2018-21258
An issue was discovered in Mattermost Server before 5.1. It allows attackers to cause a denial of service via the invite_people slash command.
CVE-2023-45847
Mattermost fails to to check the length when setting the title in a run checklist in Playbooks, allowing an attacker to send a specially crafted request and crash the Playbooks plugin