Mattermost

Mattermost Server

346 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
4.3

CVE-2024-24776

  • EPSS 0.16%
  • Veröffentlicht 09.02.2024 15:15:08
  • Zuletzt bearbeitet 21.11.2024 08:59:40

Mattermost fails to check the required permissions in the POST /api/v4/channels/stats/member_count API resulting in channel member counts being leaked to a user without permissions.

4.3

CVE-2023-47858

  • EPSS 0.19%
  • Veröffentlicht 02.01.2024 10:15:08
  • Zuletzt bearbeitet 21.11.2024 08:30:55

Mattermost fails to properly verify the permissions needed for viewing archived public channels,  allowing a member of one team to get details about the archived public channels of another team via the GET /api/v4/teams/<team-id>/channels/deleted end...

4.3

CVE-2023-48732

  • EPSS 0.59%
  • Veröffentlicht 02.01.2024 10:15:08
  • Zuletzt bearbeitet 21.11.2024 08:32:20

Mattermost fails to scope the WebSocket response around notified users to a each user separately resulting in the WebSocket broadcasting the information about who was notified about a post to everyone else in the channel.

4.3

CVE-2023-50333

  • EPSS 0.06%
  • Veröffentlicht 02.01.2024 10:15:08
  • Zuletzt bearbeitet 21.11.2024 08:36:51

Mattermost fails to update the permissions of the current session for a user who was just demoted to guest, allowing freshly demoted guests to change group names.

6.1

CVE-2023-7113

  • EPSS 0.73%
  • Veröffentlicht 29.12.2023 13:15:11
  • Zuletzt bearbeitet 21.11.2024 08:45:18

Mattermost version 8.1.6 and earlier fails to sanitize channel mention data in posts, which allows an attacker to inject markup in the web client.

4.3

CVE-2023-6727

  • EPSS 0.33%
  • Veröffentlicht 12.12.2023 11:15:07
  • Zuletzt bearbeitet 21.11.2024 08:44:25

Mattermost fails to perform correct authorization checks when creating a playbook action, allowing users without access to the playbook to create playbook actions. If the playbook action created is to post a message in a channel based on specific key...

6.5

CVE-2023-49809

  • EPSS 0.13%
  • Veröffentlicht 12.12.2023 09:15:09
  • Zuletzt bearbeitet 21.11.2024 08:33:53

Mattermost fails to handle a null request body in the /add endpoint, allowing a simple member to send a request with null request body to that endpoint and make it crash. After a few repetitions, the plugin is disabled. 

4.3

CVE-2023-49874

  • EPSS 0.11%
  • Veröffentlicht 12.12.2023 09:15:09
  • Zuletzt bearbeitet 21.11.2024 08:33:58

Mattermost fails to check whether a user is a guest when updating the tasks of a private playbook run allowing a guest to update the tasks of a private playbook run if they know the run ID.

5.4

CVE-2023-6547

  • EPSS 0.25%
  • Veröffentlicht 12.12.2023 09:15:09
  • Zuletzt bearbeitet 21.11.2024 08:44:04

Mattermost fails to validate team membership when a user attempts to access a playbook, allowing a user with permissions to a playbook but no permissions to the team the playbook is on to access and modify the playbook. This can happen if the user wa...

5.3

CVE-2023-46701

  • EPSS 0.19%
  • Veröffentlicht 12.12.2023 09:15:08
  • Zuletzt bearbeitet 21.11.2024 08:29:06

Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plugin allowing an attacker to get limited information about a post if they know the post ID