Mattermost

Mattermost

202 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
4.3

CVE-2025-13870

  • EPSS 0.03%
  • Veröffentlicht 02.12.2025 09:28:44
  • Zuletzt bearbeitet 03.12.2025 20:57:20

Mattermost versions 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate the user permission when accessing the files and subscribing to the block in Boards, which allows an authenticated user to access other board files and was able to subscribe t...

4.3

CVE-2025-12756

  • EPSS 0.03%
  • Veröffentlicht 01.12.2025 19:51:46
  • Zuletzt bearbeitet 05.12.2025 15:26:22

Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate user permissions when deleting comments in Boards, which allows an authenticated user with the editor role to delete comments created by ...

9.9

CVE-2025-12421

  • EPSS 0.07%
  • Veröffentlicht 27.11.2025 17:47:04
  • Zuletzt bearbeitet 03.12.2025 15:10:42

Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform...

4.3

CVE-2025-12559

  • EPSS 0.03%
  • Veröffentlicht 27.11.2025 16:36:30
  • Zuletzt bearbeitet 03.12.2025 15:16:02

Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api...

9.9

CVE-2025-12419

  • EPSS 0.07%
  • Veröffentlicht 27.11.2025 15:55:44
  • Zuletzt bearbeitet 03.12.2025 15:17:16

Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to ...

3.5

CVE-2025-55074

  • EPSS 0.03%
  • Veröffentlicht 18.11.2025 15:23:29
  • Zuletzt bearbeitet 25.11.2025 20:24:39

Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects

4.9

CVE-2025-11794

  • EPSS 0.04%
  • Veröffentlicht 14.11.2025 10:45:39
  • Zuletzt bearbeitet 19.11.2025 21:40:16

Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/{user_id}/email/verify/member endpoint

4.3

CVE-2025-41436

  • EPSS 0.03%
  • Veröffentlicht 14.11.2025 08:15:45
  • Zuletzt bearbeitet 17.11.2025 17:52:01

Mattermost versions <11.0 fail to properly enforce the "Allow users to view archived channels" setting which allows regular users to access archived channel content and files via the "Open in Channel" functionality from followed threads

7.5

CVE-2025-55070

  • EPSS 0.08%
  • Veröffentlicht 14.11.2025 08:15:45
  • Zuletzt bearbeitet 17.11.2025 17:51:05

Mattermost versions <11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events

5.3

CVE-2025-55073

  • EPSS 0.03%
  • Veröffentlicht 14.11.2025 08:15:45
  • Zuletzt bearbeitet 19.11.2025 21:44:28

Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being updated and the MSTeams plugin OAuth flow which allows an attacker to edit arbitrary posts via a crafted MSTeams pl...