Mattermost

Mattermost

202 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
4.3

CVE-2025-11776

  • EPSS 0.03%
  • Veröffentlicht 14.11.2025 08:15:43
  • Zuletzt bearbeitet 17.11.2025 17:52:51

Mattermost versions <11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the `/api/v4/teams/{team_id}/channels/search_archived` endpoint

6.1

CVE-2025-59480

  • EPSS 0.02%
  • Veröffentlicht 13.11.2025 17:32:04
  • Zuletzt bearbeitet 14.11.2025 16:42:03

Mattermost Mobile Apps versions <=2.32.0 fail to verify that SSO redirect tokens originate from the trusted server, which allows a malicious Mattermost instance or on-path attacker to obtain user session credentials via crafted token-in-URL responses

4.3

CVE-2025-11777

  • EPSS 0.03%
  • Veröffentlicht 13.11.2025 17:32:03
  • Zuletzt bearbeitet 17.11.2025 18:05:07

Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from other teams...

6.1

CVE-2025-55035

  • EPSS 0.05%
  • Veröffentlicht 16.10.2025 15:18:25
  • Zuletzt bearbeitet 29.10.2025 18:31:15

Mattermost Desktop App versions <=5.13.0 fail to manage modals in the Mattermost Desktop App that stops a user with a server that uses basic authentication from accessing their server which allows an attacker that provides a malicious server to the u...

8.1

CVE-2025-58073

  • EPSS 0.04%
  • Veröffentlicht 16.10.2025 08:44:26
  • Zuletzt bearbeitet 21.10.2025 17:51:42

Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless ...

5.4

CVE-2025-41410

  • EPSS 0.01%
  • Veröffentlicht 16.10.2025 08:39:58
  • Zuletzt bearbeitet 21.10.2025 18:00:54

Mattermost versions 10.10.x <= 10.10.2, 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to validate email ownership during Slack import process which allows attackers to create verified user accounts with arbitrary email domains via malicious Slack import...

4.3

CVE-2025-10545

  • EPSS 0.01%
  • Veröffentlicht 16.10.2025 08:24:25
  • Zuletzt bearbeitet 21.10.2025 18:02:51

Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the `/api/v4/channels/{channel_id}/m...

8.1

CVE-2025-58075

  • EPSS 0.04%
  • Veröffentlicht 16.10.2025 08:20:06
  • Zuletzt bearbeitet 21.10.2025 17:49:14

Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless ...

3.7

CVE-2025-54499

  • EPSS 0.04%
  • Veröffentlicht 16.10.2025 08:17:20
  • Zuletzt bearbeitet 21.10.2025 17:58:02

Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on...

4.3

CVE-2025-41443

  • EPSS 0.01%
  • Veröffentlicht 16.10.2025 08:15:35
  • Zuletzt bearbeitet 29.10.2025 08:15:30

Mattermost versions 10.5.x <= 10.5.12, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when accessing channel information which allows guest users to discover active public channels and their metadata via the `/api/v4/teams/{team_...