Filtered by vendor Mattermost
Subscribe
Total
577 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-11599 | 1 Mattermost | 1 Mattermost Server | 2026-06-17 | N/A | 8.2 HIGH |
| Mattermost versions 10.0.x <= 10.0.1, 10.1.x <= 10.1.1, 9.11.x <= 9.11.3, 9.5.x <= 9.5.11 fail to properly validate email addresses which allows an unauthenticated user to bypass email domain restrictions via carefully crafted input on email registration. | |||||
| CVE-2024-11358 | 2 Google, Mattermost | 2 Android, Mattermost Mobile | 2026-06-17 | N/A | 5.7 MEDIUM |
| Mattermost Android Mobile Apps versions <=2.21.0 fail to properly configure file providers which allows an attacker with local access to access files via file provider. | |||||
| CVE-2024-10241 | 1 Mattermost | 1 Mattermost Server | 2026-06-17 | N/A | 4.3 MEDIUM |
| Mattermost versions 9.5.x <= 9.5.9 fail to properly filter the channel data when ElasticSearch is enabled which allows a user to get private channel names by using cmd+K/ctrl+K. | |||||
| CVE-2024-10214 | 1 Mattermost | 1 Mattermost | 2026-06-17 | N/A | 3.5 LOW |
| Mattermost versions 9.11.X <= 9.11.1, 9.5.x <= 9.5.9 icorrectly issues two sessions when using desktop SSO - one in the browser and one in desktop with incorrect settings. | |||||
| CVE-2023-7114 | 1 Mattermost | 1 Mattermost | 2026-06-17 | N/A | 7.1 HIGH |
| Mattermost version 2.10.0 and earlier fails to sanitize deeplink paths, which allows an attacker to perform CSRF attacks against the server. | |||||
| CVE-2023-7113 | 1 Mattermost | 1 Mattermost Server | 2026-06-17 | N/A | 3.7 LOW |
| Mattermost version 8.1.6 and earlier fails to sanitize channel mention data in posts, which allows an attacker to inject markup in the web client. | |||||
| CVE-2023-6727 | 1 Mattermost | 1 Mattermost Server | 2026-06-17 | N/A | 3.1 LOW |
| Mattermost fails to perform correct authorization checks when creating a playbook action, allowing users without access to the playbook to create playbook actions. If the playbook action created is to post a message in a channel based on specific keywords in a post, some playbook information, like the name, can be leaked. | |||||
| CVE-2023-6547 | 1 Mattermost | 1 Mattermost Server | 2026-06-17 | N/A | 3.7 LOW |
| Mattermost fails to validate team membership when a user attempts to access a playbook, allowing a user with permissions to a playbook but no permissions to the team the playbook is on to access and modify the playbook. This can happen if the user was once a member of the team, got permissions to the playbook and was then removed from the team. | |||||
| CVE-2023-6459 | 1 Mattermost | 1 Mattermost Server | 2026-06-17 | N/A | 5.3 MEDIUM |
| Mattermost is grouping calls in the /metrics endpoint by id and reports that id in the response. Since this id is the channelID, the public /metrics endpoint is revealing channelIDs. | |||||
| CVE-2023-6458 | 1 Mattermost | 1 Mattermost Server | 2026-06-17 | N/A | 7.1 HIGH |
| Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perform a client-side path traversal. | |||||
| CVE-2023-6202 | 1 Mattermost | 1 Mattermost | 2026-06-17 | N/A | 4.3 MEDIUM |
| Mattermost fails to perform proper authorization in the /plugins/focalboard/api/v2/users endpoint allowing an attacker who is a guest user and knows the ID of another user to get their information (e.g. name, surname, nickname) via Mattermost Boards. | |||||
| CVE-2023-5969 | 1 Mattermost | 1 Mattermost | 2026-06-17 | N/A | 5.3 MEDIUM |
| Mattermost fails to properly sanitize the request to /api/v4/redirect_location allowing an attacker, sending a specially crafted request to /api/v4/redirect_location, to fill up the memory due to caching large items. | |||||
| CVE-2023-5968 | 1 Mattermost | 1 Mattermost | 2026-06-17 | N/A | 4.9 MEDIUM |
| Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body. | |||||
| CVE-2023-5967 | 1 Mattermost | 1 Mattermost | 2026-06-17 | N/A | 4.3 MEDIUM |
| Mattermost fails to properly validate requests to the Calls plugin, allowing an attacker sending a request without a User Agent header to cause a panic and crash the Calls plugin | |||||
| CVE-2023-5920 | 2 Apple, Mattermost | 2 Macos, Mattermost Desktop | 2026-06-17 | N/A | 2.9 LOW |
| Mattermost Desktop for MacOS fails to utilize the secure keyboard input functionality provided by macOS, allowing for other processes to read the keyboard input. | |||||
| CVE-2023-5876 | 1 Mattermost | 1 Mattermost Desktop | 2026-06-17 | N/A | 3.1 LOW |
| Mattermost fails to properly validate a RegExp built off the server URL path, allowing an attacker in control of an enrolled server to mount a Denial Of Service. | |||||
| CVE-2023-5875 | 1 Mattermost | 1 Mattermost Desktop | 2026-06-17 | N/A | 3.7 LOW |
| Mattermost Desktop fails to correctly handle permissions or prompt the user for consent on certain sensitive ones allowing media exploitation from a malicious mattermost server | |||||
| CVE-2023-5522 | 1 Mattermost | 1 Mattermost | 2026-06-17 | N/A | 4.3 MEDIUM |
| Mattermost Mobile fails to limit the maximum number of Markdown elements in a post allowing an attacker to send a post with hundreds of emojis to a channel and freeze the mobile app of users when viewing that particular channel. | |||||
| CVE-2023-5339 | 1 Mattermost | 1 Mattermost Desktop | 2026-06-17 | N/A | 4.7 MEDIUM |
| Mattermost Desktop fails to set an appropriate log level during initial run after fresh installation resulting in logging all keystrokes including password entry being logged. | |||||
| CVE-2023-5333 | 1 Mattermost | 1 Mattermost Server | 2026-06-17 | N/A | 4.3 MEDIUM |
| Mattermost fails to deduplicate input IDs allowing a simple user to cause the application to consume excessive resources and possibly crash by sending a specially crafted request to /api/v4/users/ids with multiple identical IDs. | |||||