Mattermost

Mattermost

202 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.5

CVE-2025-20088

  • EPSS 0.3%
  • Veröffentlicht 15.01.2025 17:15:19
  • Zuletzt bearbeitet 01.10.2025 18:20:36

Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.

6.5

CVE-2025-21083

  • EPSS 0.16%
  • Veröffentlicht 15.01.2025 17:15:19
  • Zuletzt bearbeitet 25.09.2025 19:14:15

Mattermost Mobile Apps versions <=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.

6.5

CVE-2025-20036

  • EPSS 0.16%
  • Veröffentlicht 15.01.2025 17:15:18
  • Zuletzt bearbeitet 25.09.2025 19:14:06

Mattermost Mobile Apps versions <=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.

6.5

CVE-2025-21088

  • EPSS 0.26%
  • Veröffentlicht 15.01.2025 16:15:32
  • Zuletzt bearbeitet 30.09.2025 15:52:59

Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the frontend via crafte...

6.5

CVE-2025-20033

  • EPSS 0.26%
  • Veröffentlicht 09.01.2025 07:15:28
  • Zuletzt bearbeitet 02.10.2025 17:26:14

Mattermost versions 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post types, which allows attackers to deny service to users with the sysconsole_read_plugins permission via creating a post with the custom_pl_...

5.3

CVE-2025-22445

  • EPSS 0.12%
  • Veröffentlicht 09.01.2025 07:15:28
  • Zuletzt bearbeitet 02.10.2025 17:25:07

Mattermost versions 10.x <= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting.

3.8

CVE-2025-22449

  • EPSS 0.1%
  • Veröffentlicht 09.01.2025 07:15:28
  • Zuletzt bearbeitet 29.09.2025 17:44:58

Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allow_open_invite" field via making their team public.

5.5

CVE-2024-11358

  • EPSS 0.02%
  • Veröffentlicht 16.12.2024 17:15:07
  • Zuletzt bearbeitet 24.09.2025 19:39:33

Mattermost Android Mobile Apps versions <=2.21.0 fail to properly configure file providers which allows an attacker with local access to access files via file provider.

6.5

CVE-2024-54083

  • EPSS 0.55%
  • Veröffentlicht 16.12.2024 08:15:05
  • Zuletzt bearbeitet 30.09.2025 15:49:33

Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to properly validate the type of callProps which allows a user to cause a client side (webapp and mobile) DoS to users of particular channels, by sending a...

4.9

CVE-2024-54682

  • EPSS 0.17%
  • Veröffentlicht 16.12.2024 08:15:05
  • Zuletzt bearbeitet 30.09.2025 15:50:38

Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file uploads which allows a user to cause a DoS via zip bomb by importing data in a team they are a team admin.