Mattermost

Mattermost

180 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.5

CVE-2025-9081

  • EPSS 0.03%
  • Published 19.09.2025 19:36:14
  • Last modified 25.09.2025 20:14:59

Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration

7.2

CVE-2025-9079

  • EPSS 0.13%
  • Published 19.09.2025 19:22:00
  • Last modified 25.09.2025 20:16:04

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin upload to pre...

5.4

CVE-2025-9072

  • EPSS 0.03%
  • Published 15.09.2025 10:28:17
  • Last modified 16.09.2025 16:00:26

Mattermost versions 10.10.x <= 10.10.1, 10.5.x <= 10.5.9, 10.9.x <= 10.9.4 fail to validate the redirect_to parameter, allowing an attacker to craft a malicious link that, once a user authenticates with their SAML provider, could post the user’s cook...

6.1

CVE-2025-9084

  • EPSS 0.03%
  • Published 15.09.2025 10:22:30
  • Last modified 16.09.2025 15:59:24

Mattermost versions 10.5.x <= 10.5.9 fail to properly validate redirect URLs which allows attackers to redirect users to malicious sites via crafted OAuth login URLs

6.5

CVE-2025-9076

  • EPSS 0.03%
  • Published 15.09.2025 10:15:32
  • Last modified 20.09.2025 02:52:38

Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user objects. This...

4.3

CVE-2025-9078

  • EPSS 0.01%
  • Published 15.09.2025 10:15:32
  • Last modified 16.09.2025 15:58:12

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to properly validate cache keys for link metadata which allows authenticated users to access unauthorized posts and poison link previ...

4.9

CVE-2025-8402

  • EPSS 0.12%
  • Published 21.08.2025 17:01:43
  • Last modified 01.10.2025 20:23:12

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to validate import data which allows a system admin to crash the server via the bulk import feature.

4.3

CVE-2025-6465

  • EPSS 0.08%
  • Published 21.08.2025 17:01:42
  • Last modified 02.10.2025 19:49:46

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to sanitize file names which allows users with file upload permission to overwrite file attachment thumbnails via path traversal in file streaming APIs.

4.3

CVE-2025-47870

  • EPSS 0.03%
  • Published 21.08.2025 08:15:30
  • Last modified 22.08.2025 18:09:17

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fail to sanitize the team invite ID in the POST /api/v4/teams/:teamId/restore endpoint which allows an team admin with no member invite privileges to get the...

6.8

CVE-2025-49222

  • EPSS 0.04%
  • Published 21.08.2025 08:15:30
  • Last modified 22.08.2025 18:09:17

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2, 10.10.x <= 10.10.0 fail to validate upload types in remote cluster upload sessions which allows a system admin to upload non-attachment file types via shared...