142 matches found
CVE-2017-18885
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by accessing unintended API endpoints on a user's behalf.
CVE-2015-9548
An issue was discovered in Mattermost Server before 1.2.0. It allows attackers to cause a denial of service (memory consumption) via a small compressed file that has a large size when uncompressed.
CVE-2016-11069
An issue was discovered in Mattermost Server before 3.2.0. It mishandles brute-force attempts at password change.
CVE-2016-11083
An issue was discovered in Mattermost Server before 2.2.0. It allows XSS because it configures files to be opened in a browser window.
CVE-2016-11081
An issue was discovered in Mattermost Server before 2.2.0. It allows unintended access to information stored by a web browser.
CVE-2017-18907
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. XSS could occur via a channel header.
CVE-2017-18916
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. API endpoint access control does not honor an integration permission restriction.
CVE-2020-14452
An issue was discovered in Mattermost Server before 5.21.0. mmctl allows directory traversal via HTTP, aka MMSA-2020-0014.
CVE-2016-11075
An issue was discovered in Mattermost Server before 3.0.0. It allows attackers to obtain sensitive information about team URLs via an API.
CVE-2016-11076
An issue was discovered in Mattermost Server before 3.0.0. It does not ensure that a cookie is used over SSL.
CVE-2017-18880
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via the title_link field of a Slack attachment.
CVE-2017-18883
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2, when serving as an OAuth 2.0 Service Provider. There is low entropy for authorization data.
CVE-2018-21254
An issue was discovered in Mattermost Server before 5.1. An attacker can bypass intended access control (for direct-message channel creation) via the Message slash command.
CVE-2019-20858
An issue was discovered in Mattermost Server before 5.15.0. It allows attackers to cause a denial of service (CPU consumption) via crafted characters in a SQL LIKE clause to an APIv4 endpoint.
CVE-2020-14458
An issue was discovered in Mattermost Server before 5.19.0. Attackers can discover private channels via the "get channel by name" API, aka MMSA-2020-0004.
CVE-2016-11068
An issue was discovered in Mattermost Server before 3.2.0. Attackers could read LDAP fields via injection.
CVE-2017-18905
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth 2.0 service provider, Session invalidation was mishandled.
CVE-2017-18919
An issue was discovered in Mattermost Server before 3.7.0 and 3.6.3. Attackers can use the API for unauthenticated team creation.
CVE-2020-14457
An issue was discovered in Mattermost Server before 5.20.0. Non-members can receive broadcasted team details via the update_team WebSocket event, aka MMSA-2020-0012.
CVE-2016-11078
An issue was discovered in Mattermost Server before 3.0.0. It potentially allows attackers to obtain sensitive information (credential fields within config.json) via the System Console UI.
CVE-2017-18891
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows Phishing because an error page can have a link.
CVE-2017-18913
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. XSS can occur via a link on an error page.
CVE-2019-20843
An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. There are weak permissions for configuration files.
CVE-2019-20877
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information about whether someone has 2FA enabled.
CVE-2019-20881
An issue was discovered in Mattermost Server before 5.8.0. It mishandles brute-force attacks against MFA.
CVE-2016-11062
An issue was discovered in Mattermost Server before 3.5.1. E-mail address verification can be bypassed.
CVE-2016-11074
An issue was discovered in Mattermost Server before 3.0.0. A password-reset link could be reused.
CVE-2016-11077
An issue was discovered in Mattermost Server before 3.0.0. It has a superfluous API in which the System Admin can change the account name and e-mail address of an LDAP account.
CVE-2016-11079
An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a redirect URL.
CVE-2019-20887
An issue was discovered in Mattermost Server before 5.7.1, 5.6.4, 5.5.3, and 4.10.6. It does not honor flags API permissions when deciding whether a user can receive intra-team posts.
CVE-2016-11065
An issue was discovered in Mattermost Server before 3.3.0. An attacker could use the WebSocket feature to send pop-up messages to users or change a post's appearance.
CVE-2016-11072
An issue was discovered in Mattermost Server before 3.0.2. The purposes of a session ID and a Session Token were mishandled.
CVE-2016-11084
An issue was discovered in Mattermost Server before 2.1.0. It allows XSS via CSRF.
CVE-2017-18890
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows an attacker to create a button that, when pressed by a user, launches an API request.
CVE-2017-18894
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. Sometimes. resource-owner authorization is bypassed, allowing account takeover.
CVE-2017-18914
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. An external link can occur on an error page even if it is not on an allowlist.
CVE-2018-21253
An issue was discovered in Mattermost Server before 5.1, 5.0.2, and 4.10.2. An attacker could use the invite_people slash command to invite a non-permitted user.
CVE-2018-21256
An issue was discovered in Mattermost Server before 5.1. It allows attackers to bypass intended access restrictions (for group-message channel creation) via the Group message slash command.
CVE-2019-20842
An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. There is SQL injection by admins via SearchAllChannels.
CVE-2020-14459
An issue was discovered in Mattermost Server before 5.19.0. Attackers can rename a channel and cause a collision with a direct message, aka MMSA-2020-0002.
CVE-2016-11082
An issue was discovered in Mattermost Server before 2.2.0. It allows XSS via a crafted link.
CVE-2017-18876
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can test for the existence of an arbitrary file.
CVE-2017-18898
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows crafted posts that potentially cause a web browser to hang.
CVE-2017-18906
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when Single Sign-On OAuth2 is used. An attacker could claim somebody else's account.
CVE-2017-18908
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. A password-reset request was sometime sent to an attacker-provided e-mail address.
CVE-2019-20873
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information during user activation/deactivation.
CVE-2019-20884
An issue was discovered in Mattermost Server before 5.8.0. It allows attackers to partially attach a file to more than one post.
CVE-2016-11063
An issue was discovered in Mattermost Server before 3.5.1. XSS can occur via file preview.
CVE-2016-11073
An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a Legal or Support setting.
CVE-2016-11080
An issue was discovered in Mattermost Server before 3.0.0. It offers superfluous APIs for a Team Administrator to view account details.