Mattermost

Mattermost

317 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
  • EPSS 0.24%
  • Veröffentlicht 26.05.2024 14:15:08
  • Zuletzt bearbeitet 30.09.2025 15:20:13

Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper authorization checks which allows a member running a playbook in an existing channel to be promoted to a channel admin

  • EPSS 0.5%
  • Veröffentlicht 26.04.2024 09:15:13
  • Zuletzt bearbeitet 12.05.2025 13:45:11

Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes which allows an attacker authenticated as team admin to demote users to guest via crafted HTTP requests.

  • EPSS 0.45%
  • Veröffentlicht 26.04.2024 09:15:12
  • Zuletzt bearbeitet 12.05.2025 13:39:45

Mattermost versions 9.6.x <= 9.6.0, 9.5.x <= 9.5.2, 9.4.x <= 9.4.4 and 8.1.x <= 8.1.11 fail to remove detailed error messages in API requests even if the developer mode is off which allows an attacker to get information about the server such as the f...

  • EPSS 0.55%
  • Veröffentlicht 26.04.2024 09:15:12
  • Zuletzt bearbeitet 12.05.2025 13:41:16

Mattermost versions 9.6.0, 9.5.x before 9.5.3, 9.4.x before 9.4.5, and 8.1.x before 8.1.12 fail to handle JSON parsing errors in custom status values, which allows an authenticated attacker to crash other users' web clients via a malformed custom sta...

  • EPSS 0.61%
  • Veröffentlicht 26.04.2024 09:15:12
  • Zuletzt bearbeitet 12.05.2025 13:42:25

Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active sessions, which allows an authenticated attacker to crash the server via repeated requests to the getSessions API a...

  • EPSS 0.5%
  • Veröffentlicht 26.04.2024 09:15:12
  • Zuletzt bearbeitet 12.05.2025 13:43:36

Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes, which allows an attacker authenticated as a team admin to promote guests to team admins via crafted HTTP requests.

  • EPSS 0.54%
  • Veröffentlicht 26.04.2024 09:15:11
  • Zuletzt bearbeitet 12.05.2025 13:37:38

Mattermost versions 8.1.x <= 8.1.10, 9.6.x <= 9.6.0, 9.5.x <= 9.5.2 and 8.1.x <= 8.1.11 fail to limit the size of a request path that includes user inputs which allows an attacker to cause excessive resource consumption, possibly leading to a DoS via...

  • EPSS 0.33%
  • Veröffentlicht 29.02.2024 09:15:06
  • Zuletzt bearbeitet 12.05.2025 13:35:39

Mattermost fails to check the "invite_guest" permission when inviting guests of other teams to a team, allowing a member with permissions to add other members but not to add guests to add a guest to a team as long as the guest was already a guest in ...

  • EPSS 0.31%
  • Veröffentlicht 29.02.2024 08:15:47
  • Zuletzt bearbeitet 12.05.2025 13:34:26

Mattermost fails to properly restrict the access of files attached to posts in an archived channel, resulting in members being able to access files of archived channels even if the “Allow users to view archived channels” option is disabled.

  • EPSS 0.33%
  • Veröffentlicht 29.02.2024 08:15:46
  • Zuletzt bearbeitet 12.05.2025 13:32:55

Mattermost fails to check if compliance export is enabled when fetching posts of public channels allowing a user that is not a member of the public channel to fetch the posts, which will not be audited in the compliance export.