Mattermost

Mattermost

202 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
5.4

CVE-2023-35075

  • EPSS 0.51%
  • Veröffentlicht 27.11.2023 10:15:07
  • Zuletzt bearbeitet 21.11.2024 08:07:55

Mattermost fails to use  innerText / textContent when setting the channel name in the webapp during autocomplete, allowing an attacker to inject HTML to a victim's page by create a channel name that is valid HTML. No XSS is possible though. 

7.5

CVE-2023-40703

  • EPSS 0.09%
  • Veröffentlicht 27.11.2023 10:15:07
  • Zuletzt bearbeitet 21.11.2024 08:19:59

Mattermost fails to properly limit the characters allowed in different fields of a block in Mattermost Boards allowing a attacker to consume excessive resources, possibly leading to Denial of Service, by patching the field of a block using a speciall...

4.3

CVE-2023-43754

  • EPSS 0.35%
  • Veröffentlicht 27.11.2023 10:15:07
  • Zuletzt bearbeitet 21.11.2024 08:24:43

Mattermost fails to check whether the  “Allow users to view archived channels”  setting is enabled during permalink previews display, allowing members to view permalink previews of archived channels even if the “Allow users to view archived channels”...

4.3

CVE-2023-45223

  • EPSS 0.35%
  • Veröffentlicht 27.11.2023 10:15:07
  • Zuletzt bearbeitet 21.11.2024 08:26:34

Mattermost fails to properly validate the "Show Full Name" option in a few endpoints in Mattermost Boards, allowing a member to get the full name of another user even if the Show Full Name option was disabled. 

4.3

CVE-2023-47865

  • EPSS 0.11%
  • Veröffentlicht 27.11.2023 09:15:32
  • Zuletzt bearbeitet 21.11.2024 08:30:56

Mattermost fails to check if hardened mode is enabled when overriding the username and/or the icon when posting a post. If settings allowed integrations to override the username and profile picture when posting, a member could also override the usern...

4.3

CVE-2023-5967

  • EPSS 0.1%
  • Veröffentlicht 06.11.2023 16:15:42
  • Zuletzt bearbeitet 21.11.2024 08:42:53

Mattermost fails to properly validate requests to the Calls plugin, allowing an attacker sending a request without a User Agent header to cause a panic and crash the Calls plugin

4.9

CVE-2023-5968

  • EPSS 0.14%
  • Veröffentlicht 06.11.2023 16:15:42
  • Zuletzt bearbeitet 21.11.2024 08:42:53

Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body. 

5.3

CVE-2023-5969

  • EPSS 0.11%
  • Veröffentlicht 06.11.2023 16:15:42
  • Zuletzt bearbeitet 21.11.2024 08:42:53

Mattermost fails to properly sanitize the request to /api/v4/redirect_location allowing an attacker, sending a specially crafted request to /api/v4/redirect_location, to fill up the memory due to caching large items.

4.3

CVE-2023-5522

  • EPSS 0.09%
  • Veröffentlicht 17.10.2023 10:15:10
  • Zuletzt bearbeitet 21.11.2024 08:41:56

Mattermost Mobile fails to limit the maximum number of Markdown elements in a post allowing an attacker to send a post with hundreds of emojis to a channel and freeze the mobile app of users when viewing that particular channel. 

4.3

CVE-2023-5160

  • EPSS 0.23%
  • Veröffentlicht 02.10.2023 11:15:50
  • Zuletzt bearbeitet 21.11.2024 08:41:12

Mattermost fails to check the Show Full Name option at the /api/v4/teams/TEAM_ID/top/team_members endpoint allowing a member to get the full name of another user even if the Show Full Name option was disabled