Mattermost

Mattermost Server

388 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
5.4

CVE-2023-6547

  • EPSS 0.32%
  • Veröffentlicht 12.12.2023 09:15:09
  • Zuletzt bearbeitet 21.11.2024 08:44:04

Mattermost fails to validate team membership when a user attempts to access a playbook, allowing a user with permissions to a playbook but no permissions to the team the playbook is on to access and modify the playbook. This can happen if the user wa...

5.3

CVE-2023-46701

  • EPSS 0.19%
  • Veröffentlicht 12.12.2023 09:15:08
  • Zuletzt bearbeitet 21.11.2024 08:29:06

Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plugin allowing an attacker to get limited information about a post if they know the post ID

7.5

CVE-2023-49607

  • EPSS 0.11%
  • Veröffentlicht 12.12.2023 09:15:08
  • Zuletzt bearbeitet 21.11.2024 08:33:37

Mattermost fails to validate the type of the "reminder" body request parameter allowing an attacker to crash the Playbook Plugin when updating the status dialog.

8.8

CVE-2023-45316

  • EPSS 0.26%
  • Veröffentlicht 12.12.2023 09:15:07
  • Zuletzt bearbeitet 21.11.2024 08:26:43

Mattermost fails to validate if a relative path is passed in /plugins/playbooks/api/v0/telemetry/run/<telem_run_id> as a telemetry run ID, allowing an attacker to use a path traversal payload that points to a different endpoint leading to a CSRF atta...

7.5

CVE-2023-45847

  • EPSS 0.13%
  • Veröffentlicht 12.12.2023 09:15:07
  • Zuletzt bearbeitet 21.11.2024 08:27:28

Mattermost fails to to check the length when setting the title in a run checklist in Playbooks, allowing an attacker to send a specially crafted request and crash the Playbooks plugin

5.3

CVE-2023-6459

  • EPSS 0.49%
  • Veröffentlicht 06.12.2023 09:15:09
  • Zuletzt bearbeitet 21.11.2024 08:43:54

Mattermost is grouping calls in the /metrics endpoint by id and reports that id in the response. Since this id is the channelID, the public /metrics endpoint is revealing channelIDs.

9.8

CVE-2023-6458

  • EPSS 0.46%
  • Veröffentlicht 06.12.2023 09:15:08
  • Zuletzt bearbeitet 21.11.2024 08:43:53

Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perform a client-side path traversal.

7.5

CVE-2023-5330

  • EPSS 0.12%
  • Veröffentlicht 09.10.2023 11:15:11
  • Zuletzt bearbeitet 21.11.2024 08:41:32

Mattermost fails to enforce a limit for the size of the cache entry for OpenGraph data allowing an attacker to send a specially crafted request to the /api/v4/opengraph filling the cache and turning the server unavailable.

5.3

CVE-2023-5331

  • EPSS 0.17%
  • Veröffentlicht 09.10.2023 11:15:11
  • Zuletzt bearbeitet 21.11.2024 08:41:32

Mattermost fails to properly check the creator of an attached file when adding the file to a draft post, potentially exposing unauthorized file information.

6.5

CVE-2023-5333

  • EPSS 0.12%
  • Veröffentlicht 09.10.2023 11:15:11
  • Zuletzt bearbeitet 21.11.2024 08:41:33

Mattermost fails to deduplicate input IDs allowing a simple user to cause the application to consume excessive resources and possibly crash by sending a specially crafted request to /api/v4/users/ids with multiple identical IDs.