CVE-2025-9084
- EPSS 0.16%
- Veröffentlicht 15.09.2025 10:22:30
- Zuletzt bearbeitet 16.09.2025 15:59:24
Mattermost versions 10.5.x <= 10.5.9 fail to properly validate redirect URLs which allows attackers to redirect users to malicious sites via crafted OAuth login URLs
CVE-2025-9076
- EPSS 0.24%
- Veröffentlicht 15.09.2025 10:15:32
- Zuletzt bearbeitet 20.09.2025 02:52:38
Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user objects. This...
CVE-2025-9078
- EPSS 0.14%
- Veröffentlicht 15.09.2025 10:15:32
- Zuletzt bearbeitet 16.09.2025 15:58:12
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to properly validate cache keys for link metadata which allows authenticated users to access unauthorized posts and poison link previ...
CVE-2025-8402
- EPSS 0.3%
- Veröffentlicht 21.08.2025 17:01:43
- Zuletzt bearbeitet 01.10.2025 20:23:12
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to validate import data which allows a system admin to crash the server via the bulk import feature.
CVE-2025-6465
- EPSS 0.7%
- Veröffentlicht 21.08.2025 17:01:42
- Zuletzt bearbeitet 02.10.2025 19:49:46
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to sanitize file names which allows users with file upload permission to overwrite file attachment thumbnails via path traversal in file streaming APIs.
CVE-2025-47870
- EPSS 0.2%
- Veröffentlicht 21.08.2025 08:15:30
- Zuletzt bearbeitet 22.08.2025 18:09:17
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fail to sanitize the team invite ID in the POST /api/v4/teams/:teamId/restore endpoint which allows an team admin with no member invite privileges to get the...
CVE-2025-49222
- EPSS 0.28%
- Veröffentlicht 21.08.2025 08:15:30
- Zuletzt bearbeitet 22.08.2025 18:09:17
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2, 10.10.x <= 10.10.0 fail to validate upload types in remote cluster upload sessions which allows a system admin to upload non-attachment file types via shared...
CVE-2025-8023
- EPSS 0.38%
- Veröffentlicht 21.08.2025 07:51:37
- Zuletzt bearbeitet 25.08.2025 14:56:33
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fails to sanitize path traversal sequences in template file destination paths, which allows a system admin to perform path traversal attacks via malicious pat...
CVE-2025-53971
- EPSS 0.19%
- Veröffentlicht 21.08.2025 07:31:01
- Zuletzt bearbeitet 22.08.2025 18:09:17
Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate authorization for team scheme role modifications which allows Team Admins to demote Team Members to Guests via the PUT /api/v4/teams/team-id/members/user-id/schemeRoles...
CVE-2025-47700
- EPSS 0.17%
- Veröffentlicht 21.08.2025 07:28:37
- Zuletzt bearbeitet 29.10.2025 18:40:16
Mattermost Server versions 10.5.x <= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into clicking malicious links via post actions