CVE-2024-10241
- EPSS 0.29%
- Veröffentlicht 29.10.2024 08:15:11
- Zuletzt bearbeitet 30.09.2025 17:09:36
Mattermost versions 9.5.x <= 9.5.9 fail to properly filter the channel data when ElasticSearch is enabled which allows a user to get private channel names by using cmd+K/ctrl+K.
CVE-2024-10214
- EPSS 0.35%
- Veröffentlicht 28.10.2024 15:15:04
- Zuletzt bearbeitet 05.11.2024 17:03:22
Mattermost versions 9.11.X <= 9.11.1, 9.5.x <= 9.5.9 icorrectly issues two sessions when using desktop SSO - one in the browser and one in desktop with incorrect settings.
CVE-2024-9155
- EPSS 0.26%
- Veröffentlicht 26.09.2024 15:15:18
- Zuletzt bearbeitet 29.09.2025 13:50:51
Mattermost versions 9.10.x <= 9.10.1, 9.9.x <= 9.9.2, 9.5.x <= 9.5.8 fail to limit access to channels files that have not been linked to a post which allows an attacker to view them in channels that they are a member of.
CVE-2024-43105
- EPSS 0.43%
- Veröffentlicht 23.08.2024 08:15:04
- Zuletzt bearbeitet 17.03.2026 14:42:28
Mattermost Plugin Channel Export versions <=1.0.0 fail to restrict concurrent runs of the /export command which allows a user to consume excessive resource by running the /export command multiple times at once.
CVE-2024-40886
- EPSS 0.19%
- Veröffentlicht 22.08.2024 07:15:04
- Zuletzt bearbeitet 23.08.2024 16:09:31
Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in User Ma...
CVE-2024-42411
- EPSS 0.29%
- Veröffentlicht 22.08.2024 07:15:04
- Zuletzt bearbeitet 23.08.2024 16:04:26
Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to restrict the input in POST /api/v4/users which allows a user to manipulate the creation date in POST /api/v4/users tricking the admin into believing their ac...
CVE-2024-43813
- EPSS 0.24%
- Veröffentlicht 22.08.2024 07:15:04
- Zuletzt bearbeitet 23.08.2024 15:35:12
Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to enforce proper access controls which allows any authenticated user, including guests, to mark any channel inside any team as read for any user.
CVE-2024-8071
- EPSS 0.34%
- Veröffentlicht 22.08.2024 07:15:04
- Zuletzt bearbeitet 23.08.2024 15:34:53
Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to restrict which roles can promote a user as system admin which allows a System Role with edit access to the permissions section of system console to update...
CVE-2024-32939
- EPSS 0.22%
- Veröffentlicht 22.08.2024 07:15:03
- Zuletzt bearbeitet 23.08.2024 16:17:54
Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2, when shared channels are enabled, fail to redact remote users' original email addresses stored in user props when email addresses are otherwise configured not to be...
CVE-2024-39810
- EPSS 0.46%
- Veröffentlicht 22.08.2024 07:15:03
- Zuletzt bearbeitet 23.08.2024 16:16:36
Mattermost versions 9.5.x <= 9.5.7 and 9.10.x <= 9.10.0 fail to time limit and size limit the CA path file in the ElasticSearch configuration which allows a System Role with access to the Elasticsearch system console to add any file as a CA path fiel...