CVE-2024-39353
- EPSS 0.34%
- Veröffentlicht 03.07.2024 09:15:06
- Zuletzt bearbeitet 21.11.2024 09:27:31
Mattermost versions 9.5.x <= 9.5.5 and 9.8.0 fail to sanitize the RemoteClusterFrame payloads before audit logging them which allows a high privileged attacker with access to the audit logs to read message contents.
CVE-2024-39361
- EPSS 0.28%
- Veröffentlicht 03.07.2024 09:15:06
- Zuletzt bearbeitet 21.11.2024 09:27:32
Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and 9.5.x <= 9.5.5 fail to prevent users from specifying a RemoteId for their posts which allows an attacker to specify both a remoteId and the post ID, resulting in creating a post with a use...
CVE-2024-36255
- EPSS 0.18%
- Veröffentlicht 26.05.2024 14:15:10
- Zuletzt bearbeitet 30.09.2025 15:29:54
Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper input validation on post actions which allows an attacker to run a playbook checklist task command as another user via creating and sharing a deceptive post...
CVE-2024-5270
- EPSS 0.27%
- Veröffentlicht 26.05.2024 14:15:10
- Zuletzt bearbeitet 30.09.2025 15:47:34
Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to check if the email signup configuration option is enabled when a user requests to switch from SAML to Email. This allows the user to switch their authentic...
CVE-2024-5272
- EPSS 0.28%
- Veröffentlicht 26.05.2024 14:15:10
- Zuletzt bearbeitet 30.09.2025 15:48:21
Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to restrict the audience of the "custom_playbooks_playbook_run_updated" webhook event, which allows a guest on a channel with a playbook run linked to see all the details of the...
CVE-2024-32045
- EPSS 0.23%
- Veröffentlicht 26.05.2024 14:15:09
- Zuletzt bearbeitet 30.09.2025 15:24:46
Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to enforce proper access controls for channel and team membership when linking a playbook run to a channel which allows members to link their runs to private channels they were...
CVE-2024-34029
- EPSS 0.3%
- Veröffentlicht 26.05.2024 14:15:09
- Zuletzt bearbeitet 30.09.2025 15:26:42
Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1 and 8.1.x <= 8.1.12 fail to perform a proper authorization check in the /api/v4/groups/<group-id>/channels/<channel-id>/link endpoint which allows a user to learn the members of an AD/LDAP group that...
CVE-2024-34152
- EPSS 0.26%
- Veröffentlicht 26.05.2024 14:15:09
- Zuletzt bearbeitet 30.09.2025 15:27:40
Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper access control which allows a guest to get the metadata of a public playbook run that linked to the channel they are guest via sending an RHSRuns GraphQL qu...
CVE-2024-36241
- EPSS 0.26%
- Veröffentlicht 26.05.2024 14:15:09
- Zuletzt bearbeitet 30.09.2025 15:28:53
Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to enforce proper access controls which allows user to view arbitrary post contents via the /playbook add slash command
CVE-2024-29215
- EPSS 0.24%
- Veröffentlicht 26.05.2024 14:15:08
- Zuletzt bearbeitet 08.07.2025 18:02:30
Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to enforce proper access control which allows a user to run a slash command in a channel they are not a member of via linking a playbook run to that channel and ...