Mattermost ≫ Mattermost Server

An issue was discovered in Mattermost Server before 3.7.3 and 3.6.5. A System Administrator can place a SAML certificate at an arbitrary pathname.

An issue was discovered in Mattermost Server before 3.7.0 and 3.6.3. Attackers can use the API for unauthenticated team creation.

An issue was discovered in Mattermost Server before 3.6.2. The WebSocket feature does not follow the Same Origin Policy.

An issue was discovered in Mattermost Server before 3.6.0 and 3.5.2. XSS can occur via a link on an error page.

An issue was discovered in Mattermost Server before 3.2.0. It mishandles brute-force attempts at password change.

An issue was discovered in Mattermost Server before 3.1.0. It allows XSS via theme color-code values.

An issue was discovered in Mattermost Server before 3.1.0. It allows XSS because the noreferrer and noopener protection mechanisms were not in place.

An issue was discovered in Mattermost Server before 3.0.2. The purposes of a session ID and a Session Token were mishandled.

An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a Legal or Support setting.

An issue was discovered in Mattermost Server before 3.0.0. A password-reset link could be reused.