CVE-2025-10545
- EPSS 0.31%
- Veröffentlicht 16.10.2025 08:24:25
- Zuletzt bearbeitet 21.10.2025 18:02:51
Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the `/api/v4/channels/{channel_id}/m...
CVE-2025-58075
- EPSS 0.31%
- Veröffentlicht 16.10.2025 08:20:06
- Zuletzt bearbeitet 21.10.2025 17:49:14
Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless ...
CVE-2025-54499
- EPSS 0.25%
- Veröffentlicht 16.10.2025 08:17:20
- Zuletzt bearbeitet 21.10.2025 17:58:02
Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on...
CVE-2025-41443
- EPSS 0.29%
- Veröffentlicht 16.10.2025 08:15:35
- Zuletzt bearbeitet 29.10.2025 08:15:30
Mattermost versions 10.5.x <= 10.5.12, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when accessing channel information which allows guest users to discover active public channels and their metadata via the `/api/v4/teams/{team_...
CVE-2025-9081
- EPSS 0.25%
- Veröffentlicht 19.09.2025 19:36:14
- Zuletzt bearbeitet 25.09.2025 20:14:59
Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration
CVE-2025-9079
- EPSS 0.6%
- Veröffentlicht 19.09.2025 19:22:00
- Zuletzt bearbeitet 25.09.2025 20:16:04
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin upload to pre...
CVE-2025-9072
- EPSS 0.16%
- Veröffentlicht 15.09.2025 10:28:17
- Zuletzt bearbeitet 16.09.2025 16:00:26
Mattermost versions 10.10.x <= 10.10.1, 10.5.x <= 10.5.9, 10.9.x <= 10.9.4 fail to validate the redirect_to parameter, allowing an attacker to craft a malicious link that, once a user authenticates with their SAML provider, could post the user’s cook...
CVE-2025-9084
- EPSS 0.16%
- Veröffentlicht 15.09.2025 10:22:30
- Zuletzt bearbeitet 16.09.2025 15:59:24
Mattermost versions 10.5.x <= 10.5.9 fail to properly validate redirect URLs which allows attackers to redirect users to malicious sites via crafted OAuth login URLs
CVE-2025-9076
- EPSS 0.24%
- Veröffentlicht 15.09.2025 10:15:32
- Zuletzt bearbeitet 20.09.2025 02:52:38
Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user objects. This...
CVE-2025-9078
- EPSS 0.14%
- Veröffentlicht 15.09.2025 10:15:32
- Zuletzt bearbeitet 16.09.2025 15:58:12
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to properly validate cache keys for link metadata which allows authenticated users to access unauthorized posts and poison link previ...