Mattermost ≫ Mattermost Server

An issue was discovered in Mattermost Server before 3.5.1. E-mail address verification can be bypassed.

An issue was discovered in Mattermost Server before 3.5.1. XSS can occur via file preview.

An issue was discovered in Mattermost Server before 3.3.0. An attacker could use the WebSocket feature to send pop-up messages to users or change a post's appearance.

An issue was discovered in Mattermost Server before 3.2.0. The initial_load API disclosed unnecessary personal information.

An issue was discovered in Mattermost Server before 3.2.0. It allowed crafted posts that could cause a web browser to hang.

An issue was discovered in Mattermost Server before 3.2.0. Attackers could read LDAP fields via injection.

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to obtain sensitive information (user statuses) via a REST API version 4 endpoint.

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to add DEBUG lines to the logs via a REST API version 3 logging endpoint.

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. It mishandles a deny action for a redirection.

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows crafted posts that potentially cause a web browser to hang.