Mattermost

Mattermost Server

312 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.1

CVE-2023-7113

  • EPSS 0.73%
  • Veröffentlicht 29.12.2023 13:15:11
  • Zuletzt bearbeitet 21.11.2024 08:45:18

Mattermost version 8.1.6 and earlier fails to sanitize channel mention data in posts, which allows an attacker to inject markup in the web client.

4.3

CVE-2023-6727

  • EPSS 0.25%
  • Veröffentlicht 12.12.2023 11:15:07
  • Zuletzt bearbeitet 21.11.2024 08:44:25

Mattermost fails to perform correct authorization checks when creating a playbook action, allowing users without access to the playbook to create playbook actions. If the playbook action created is to post a message in a channel based on specific key...

6.5

CVE-2023-49809

  • EPSS 0.13%
  • Veröffentlicht 12.12.2023 09:15:09
  • Zuletzt bearbeitet 21.11.2024 08:33:53

Mattermost fails to handle a null request body in the /add endpoint, allowing a simple member to send a request with null request body to that endpoint and make it crash. After a few repetitions, the plugin is disabled. 

4.3

CVE-2023-49874

  • EPSS 0.11%
  • Veröffentlicht 12.12.2023 09:15:09
  • Zuletzt bearbeitet 21.11.2024 08:33:58

Mattermost fails to check whether a user is a guest when updating the tasks of a private playbook run allowing a guest to update the tasks of a private playbook run if they know the run ID.

5.4

CVE-2023-6547

  • EPSS 0.21%
  • Veröffentlicht 12.12.2023 09:15:09
  • Zuletzt bearbeitet 21.11.2024 08:44:04

Mattermost fails to validate team membership when a user attempts to access a playbook, allowing a user with permissions to a playbook but no permissions to the team the playbook is on to access and modify the playbook. This can happen if the user wa...

5.3

CVE-2023-46701

  • EPSS 0.19%
  • Veröffentlicht 12.12.2023 09:15:08
  • Zuletzt bearbeitet 21.11.2024 08:29:06

Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plugin allowing an attacker to get limited information about a post if they know the post ID

7.5

CVE-2023-49607

  • EPSS 0.11%
  • Veröffentlicht 12.12.2023 09:15:08
  • Zuletzt bearbeitet 21.11.2024 08:33:37

Mattermost fails to validate the type of the "reminder" body request parameter allowing an attacker to crash the Playbook Plugin when updating the status dialog.

8.8

CVE-2023-45316

  • EPSS 0.2%
  • Veröffentlicht 12.12.2023 09:15:07
  • Zuletzt bearbeitet 21.11.2024 08:26:43

Mattermost fails to validate if a relative path is passed in /plugins/playbooks/api/v0/telemetry/run/<telem_run_id> as a telemetry run ID, allowing an attacker to use a path traversal payload that points to a different endpoint leading to a CSRF atta...

7.5

CVE-2023-45847

  • EPSS 0.13%
  • Veröffentlicht 12.12.2023 09:15:07
  • Zuletzt bearbeitet 21.11.2024 08:27:28

Mattermost fails to to check the length when setting the title in a run checklist in Playbooks, allowing an attacker to send a specially crafted request and crash the Playbooks plugin

5.3

CVE-2023-6459

  • EPSS 0.42%
  • Veröffentlicht 06.12.2023 09:15:09
  • Zuletzt bearbeitet 21.11.2024 08:43:54

Mattermost is grouping calls in the /metrics endpoint by id and reports that id in the response. Since this id is the channelID, the public /metrics endpoint is revealing channelIDs.