Mattermost

Mattermost Server

312 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.5

CVE-2025-9081

  • EPSS 0.03%
  • Published 19.09.2025 19:36:14
  • Last modified 25.09.2025 20:14:59

Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration

7.2

CVE-2025-9079

  • EPSS 0.13%
  • Published 19.09.2025 19:22:00
  • Last modified 25.09.2025 20:16:04

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin upload to pre...

5.4

CVE-2025-9072

  • EPSS 0.03%
  • Published 15.09.2025 10:28:17
  • Last modified 16.09.2025 16:00:26

Mattermost versions 10.10.x <= 10.10.1, 10.5.x <= 10.5.9, 10.9.x <= 10.9.4 fail to validate the redirect_to parameter, allowing an attacker to craft a malicious link that, once a user authenticates with their SAML provider, could post the user’s cook...

6.1

CVE-2025-9084

  • EPSS 0.03%
  • Published 15.09.2025 10:22:30
  • Last modified 16.09.2025 15:59:24

Mattermost versions 10.5.x <= 10.5.9 fail to properly validate redirect URLs which allows attackers to redirect users to malicious sites via crafted OAuth login URLs

6.5

CVE-2025-9076

  • EPSS 0.03%
  • Published 15.09.2025 10:15:32
  • Last modified 20.09.2025 02:52:38

Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user objects. This...

4.3

CVE-2025-9078

  • EPSS 0.01%
  • Published 15.09.2025 10:15:32
  • Last modified 16.09.2025 15:58:12

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to properly validate cache keys for link metadata which allows authenticated users to access unauthorized posts and poison link previ...

4.9

CVE-2025-8402

  • EPSS 0.12%
  • Published 21.08.2025 17:01:43
  • Last modified 01.10.2025 20:23:12

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to validate import data which allows a system admin to crash the server via the bulk import feature.

4.3

CVE-2025-6465

  • EPSS 0.08%
  • Published 21.08.2025 17:01:42
  • Last modified 02.10.2025 19:49:46

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to sanitize file names which allows users with file upload permission to overwrite file attachment thumbnails via path traversal in file streaming APIs.

4.9

CVE-2025-8023

  • EPSS 0.06%
  • Published 21.08.2025 07:51:37
  • Last modified 25.08.2025 14:56:33

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fails to sanitize path traversal sequences in template file destination paths, which allows a system admin to perform path traversal attacks via malicious pat...

4.9

CVE-2025-6233

  • EPSS 0.06%
  • Published 18.07.2025 09:09:22
  • Last modified 02.10.2025 19:49:31

Mattermost versions 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to sanitize input paths of file attachments in the bulk import JSONL file, which allows a system admin to read arbitrary system files via path traversal.