Mattermost

Mattermost

180 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.5

CVE-2025-20036

  • EPSS 0.15%
  • Veröffentlicht 15.01.2025 17:15:18
  • Zuletzt bearbeitet 25.09.2025 19:14:06

Mattermost Mobile Apps versions <=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.

6.5

CVE-2025-21088

  • EPSS 0.19%
  • Veröffentlicht 15.01.2025 16:15:32
  • Zuletzt bearbeitet 30.09.2025 15:52:59

Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the frontend via crafte...

6.5

CVE-2025-20033

  • EPSS 0.27%
  • Veröffentlicht 09.01.2025 07:15:28
  • Zuletzt bearbeitet 02.10.2025 17:26:14

Mattermost versions 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post types, which allows attackers to deny service to users with the sysconsole_read_plugins permission via creating a post with the custom_pl_...

5.3

CVE-2025-22445

  • EPSS 0.09%
  • Veröffentlicht 09.01.2025 07:15:28
  • Zuletzt bearbeitet 02.10.2025 17:25:07

Mattermost versions 10.x <= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting.

3.8

CVE-2025-22449

  • EPSS 0.08%
  • Veröffentlicht 09.01.2025 07:15:28
  • Zuletzt bearbeitet 29.09.2025 17:44:58

Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allow_open_invite" field via making their team public.

5.5

CVE-2024-11358

  • EPSS 0.02%
  • Veröffentlicht 16.12.2024 17:15:07
  • Zuletzt bearbeitet 24.09.2025 19:39:33

Mattermost Android Mobile Apps versions <=2.21.0 fail to properly configure file providers which allows an attacker with local access to access files via file provider.

6.5

CVE-2024-54083

  • EPSS 0.53%
  • Veröffentlicht 16.12.2024 08:15:05
  • Zuletzt bearbeitet 30.09.2025 15:49:33

Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to properly validate the type of callProps which allows a user to cause a client side (webapp and mobile) DoS to users of particular channels, by sending a...

4.9

CVE-2024-54682

  • EPSS 0.15%
  • Veröffentlicht 16.12.2024 08:15:05
  • Zuletzt bearbeitet 30.09.2025 15:50:38

Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file uploads which allows a user to cause a DoS via zip bomb by importing data in a team they are a team admin.

4.8

CVE-2024-48872

  • EPSS 0.07%
  • Veröffentlicht 16.12.2024 08:15:04
  • Zuletzt bearbeitet 16.12.2024 08:15:04

Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, and 9.5.x <= 9.5.12 fail to prevent concurrently checking and updating the failed login attempts. which allows an attacker to bypass of "Max failed attempts" restriction and se...

4.3

CVE-2024-12247

  • EPSS 0.06%
  • Veröffentlicht 05.12.2024 16:15:25
  • Zuletzt bearbeitet 01.10.2025 18:21:08

Mattermost versions 9.7.x <= 9.7.5, 9.8.x <= 9.8.2 and 9.9.x <= 9.9.2 fail to properly propagate permission scheme updates across cluster nodes which allows a user to keep old permissions, even if the permission scheme has been updated.