CVE-2025-49810
- EPSS 0.19%
- Veröffentlicht 21.08.2025 07:15:27
- Zuletzt bearbeitet 22.08.2025 18:09:17
Mattermost versions 10.5.x <= 10.5.8 fail to validate access controls at time of access which allows user to read a thread via AI posts
CVE-2025-36530
- EPSS 0.46%
- Veröffentlicht 21.08.2025 07:11:43
- Zuletzt bearbeitet 22.08.2025 18:09:17
Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin import operations which allows restricted admin users to install unauthorized custom plugins via path trave...
CVE-2025-6227
- EPSS 0.18%
- Veröffentlicht 18.07.2025 11:39:46
- Zuletzt bearbeitet 14.10.2025 14:32:24
Mattermost versions 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts both invite and password to send synchronization payloads to the server that originally created the in...
CVE-2025-6233
- EPSS 0.38%
- Veröffentlicht 18.07.2025 09:09:22
- Zuletzt bearbeitet 02.10.2025 19:49:31
Mattermost versions 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to sanitize input paths of file attachments in the bulk import JSONL file, which allows a system admin to read arbitrary system files via path traversal.
CVE-2025-6226
- EPSS 0.31%
- Veröffentlicht 18.07.2025 08:48:02
- Zuletzt bearbeitet 02.10.2025 19:49:18
Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't hav...
CVE-2025-46702
- EPSS 0.18%
- Veröffentlicht 30.06.2025 16:51:13
- Zuletzt bearbeitet 08.07.2025 14:11:52
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions when adding participants to playbook runs. This allows authenticated users wi...
CVE-2025-47871
- EPSS 0.17%
- Veröffentlicht 30.06.2025 16:51:13
- Zuletzt bearbeitet 08.07.2025 14:11:33
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly validate channel membership when retrieving playbook run metadata, allowing authenticated users who are playbook members bu...
CVE-2025-3228
- EPSS 0.25%
- Veröffentlicht 20.06.2025 14:31:49
- Zuletzt bearbeitet 08.07.2025 14:30:48
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly retrieve requestorInfo from playbooks handler for guest users which allows an attacker access to the playbook run.
CVE-2025-3227
- EPSS 0.21%
- Veröffentlicht 20.06.2025 14:31:48
- Zuletzt bearbeitet 08.07.2025 14:31:06
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions in playbook runs, allowing authenticated users without the 'Manage Channel Me...
CVE-2025-4981
- EPSS 0.7%
- Veröffentlicht 20.06.2025 10:27:13
- Zuletzt bearbeitet 08.07.2025 17:59:42
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem...