Mattermost

Mattermost Server

336 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
4.3

CVE-2025-11776

  • EPSS 0.03%
  • Veröffentlicht 14.11.2025 08:15:43
  • Zuletzt bearbeitet 17.11.2025 17:52:51

Mattermost versions <11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the `/api/v4/teams/{team_id}/channels/search_archived` endpoint

4.3

CVE-2025-11777

  • EPSS 0.02%
  • Veröffentlicht 13.11.2025 17:32:03
  • Zuletzt bearbeitet 17.11.2025 18:05:07

Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from other teams...

8.1

CVE-2025-58073

  • EPSS 0.04%
  • Veröffentlicht 16.10.2025 08:44:26
  • Zuletzt bearbeitet 21.10.2025 17:51:42

Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless ...

5.4

CVE-2025-41410

  • EPSS 0.01%
  • Veröffentlicht 16.10.2025 08:39:58
  • Zuletzt bearbeitet 21.10.2025 18:00:54

Mattermost versions 10.10.x <= 10.10.2, 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to validate email ownership during Slack import process which allows attackers to create verified user accounts with arbitrary email domains via malicious Slack import...

4.3

CVE-2025-10545

  • EPSS 0.01%
  • Veröffentlicht 16.10.2025 08:24:25
  • Zuletzt bearbeitet 21.10.2025 18:02:51

Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the `/api/v4/channels/{channel_id}/m...

8.1

CVE-2025-58075

  • EPSS 0.04%
  • Veröffentlicht 16.10.2025 08:20:06
  • Zuletzt bearbeitet 21.10.2025 17:49:14

Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless ...

3.7

CVE-2025-54499

  • EPSS 0.04%
  • Veröffentlicht 16.10.2025 08:17:20
  • Zuletzt bearbeitet 21.10.2025 17:58:02

Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on...

4.3

CVE-2025-41443

  • EPSS 0.01%
  • Veröffentlicht 16.10.2025 08:15:35
  • Zuletzt bearbeitet 29.10.2025 08:15:30

Mattermost versions 10.5.x <= 10.5.12, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when accessing channel information which allows guest users to discover active public channels and their metadata via the `/api/v4/teams/{team_...

6.5

CVE-2025-9081

  • EPSS 0.02%
  • Veröffentlicht 19.09.2025 19:36:14
  • Zuletzt bearbeitet 25.09.2025 20:14:59

Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration

7.2

CVE-2025-9079

  • EPSS 0.05%
  • Veröffentlicht 19.09.2025 19:22:00
  • Zuletzt bearbeitet 25.09.2025 20:16:04

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin upload to pre...