CVE-2025-8402
- EPSS 0.3%
- Veröffentlicht 21.08.2025 17:01:43
- Zuletzt bearbeitet 01.10.2025 20:23:12
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to validate import data which allows a system admin to crash the server via the bulk import feature.
CVE-2025-6465
- EPSS 0.7%
- Veröffentlicht 21.08.2025 17:01:42
- Zuletzt bearbeitet 02.10.2025 19:49:46
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to sanitize file names which allows users with file upload permission to overwrite file attachment thumbnails via path traversal in file streaming APIs.
CVE-2025-8023
- EPSS 0.38%
- Veröffentlicht 21.08.2025 07:51:37
- Zuletzt bearbeitet 25.08.2025 14:56:33
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fails to sanitize path traversal sequences in template file destination paths, which allows a system admin to perform path traversal attacks via malicious pat...
CVE-2025-47700
- EPSS 0.17%
- Veröffentlicht 21.08.2025 07:28:37
- Zuletzt bearbeitet 29.10.2025 18:40:16
Mattermost Server versions 10.5.x <= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into clicking malicious links via post actions
CVE-2025-6227
- EPSS 0.18%
- Veröffentlicht 18.07.2025 11:39:46
- Zuletzt bearbeitet 14.10.2025 14:32:24
Mattermost versions 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts both invite and password to send synchronization payloads to the server that originally created the in...
CVE-2025-6233
- EPSS 0.38%
- Veröffentlicht 18.07.2025 09:09:22
- Zuletzt bearbeitet 02.10.2025 19:49:31
Mattermost versions 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to sanitize input paths of file attachments in the bulk import JSONL file, which allows a system admin to read arbitrary system files via path traversal.
CVE-2025-6226
- EPSS 0.31%
- Veröffentlicht 18.07.2025 08:48:02
- Zuletzt bearbeitet 02.10.2025 19:49:18
Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't hav...
CVE-2025-46702
- EPSS 0.18%
- Veröffentlicht 30.06.2025 16:51:13
- Zuletzt bearbeitet 08.07.2025 14:11:52
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions when adding participants to playbook runs. This allows authenticated users wi...
CVE-2025-47871
- EPSS 0.17%
- Veröffentlicht 30.06.2025 16:51:13
- Zuletzt bearbeitet 08.07.2025 14:11:33
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly validate channel membership when retrieving playbook run metadata, allowing authenticated users who are playbook members bu...
CVE-2025-3228
- EPSS 0.25%
- Veröffentlicht 20.06.2025 14:31:49
- Zuletzt bearbeitet 08.07.2025 14:30:48
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly retrieve requestorInfo from playbooks handler for guest users which allows an attacker access to the playbook run.