Mattermost ≫ Mattermost Server

An issue was discovered in Mattermost Server before 5.12.0, 5.11.1, 5.10.2, 5.9.2, and 4.10.10. The login page allows CSRF.

An issue was discovered in Mattermost Server before 5.12.0. Use of a Proxy HTTP header, rather than the source address in an IP packet header, for obtaining IP address information was mishandled.

An issue was discovered in Mattermost Server before 5.11.0. An attacker can interfere with a channel's post loading via one crafted post.

An issue was discovered in Mattermost Server before 5.11.0. Invite IDs were improperly generated.

An issue was discovered in Mattermost Server before 5.10.0, 5.9.1, 5.8.2, and 4.10.9. A non-member could change the Update/Patch Channel endpoint for a private channel.

An issue was discovered in Mattermost Server before 5.10.0. An attacker can bypass the intended appearance of the Edited flag after changing a post's file ID.

An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. The Markdown library allows catastrophic backtracking.

An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. SSRF can attack local services.

An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information during user activation/deactivation.

An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information during a role change.