Mattermost ≫ Mattermost Server

An issue was discovered in Mattermost Server before 3.0.0. It allows attackers to obtain sensitive information about team URLs via an API.

An issue was discovered in Mattermost Server before 3.0.0. It does not ensure that a cookie is used over SSL.

An issue was discovered in Mattermost Server before 3.0.0. It has a superfluous API in which the System Admin can change the account name and e-mail address of an LDAP account.

An issue was discovered in Mattermost Server before 3.0.0. It potentially allows attackers to obtain sensitive information (credential fields within config.json) via the System Console UI.

An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a redirect URL.

An issue was discovered in Mattermost Server before 3.0.0. It offers superfluous APIs for a Team Administrator to view account details.

An issue was discovered in Mattermost Server before 2.2.0. It allows unintended access to information stored by a web browser.

An issue was discovered in Mattermost Server before 2.2.0. It allows XSS via a crafted link.

An issue was discovered in Mattermost Server before 2.2.0. It allows XSS because it configures files to be opened in a browser window.

An issue was discovered in Mattermost Server before 1.2.0. It allows attackers to cause a denial of service (memory consumption) via a small compressed file that has a large size when uncompressed.