Mattermost

Mattermost

317 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
  • EPSS 0.15%
  • Veröffentlicht 18.05.2026 06:50:07
  • Zuletzt bearbeitet 18.05.2026 19:17:19

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious r...

  • EPSS 0.12%
  • Veröffentlicht 18.05.2026 06:33:56
  • Zuletzt bearbeitet 29.05.2026 19:11:30

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce client identity binding during the OAuth authorization code redemption flow which allows an authenticated OAuth client to redeem authorization codes issued to a different clien...

  • EPSS 0.17%
  • Veröffentlicht 15.05.2026 18:42:47
  • Zuletzt bearbeitet 18.05.2026 18:37:37

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce the PostEditTimeLimit on non-message post fields which allows an authenticated user to modify post file attachments, props, and pin status after the edit window has expired via...

  • EPSS 0.24%
  • Veröffentlicht 15.05.2026 18:32:44
  • Zuletzt bearbeitet 18.05.2026 18:36:00

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to validate the response body of proxied images, which allows a remote attacker to enact client-side DoS via an SVG file served from an attacker-controlled origin under ...

  • EPSS 0.15%
  • Veröffentlicht 15.04.2026 11:00:14
  • Zuletzt bearbeitet 22.04.2026 19:41:52

Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to enforce atomic single-use consumption of guest magic link tokens, which allows an attacker with access to a valid magic link to establish multiple i...

  • EPSS 0.13%
  • Veröffentlicht 15.04.2026 10:13:33
  • Zuletzt bearbeitet 22.04.2026 19:42:25

Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to validate CSRF tokens on an authentication endpoint which allows an attacker to update a user's authentication method via a CSRF attack by tricking a...

  • EPSS 0.17%
  • Veröffentlicht 15.04.2026 10:11:07
  • Zuletzt bearbeitet 22.04.2026 19:43:52

Mattermost versions 10.11.x <= 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected using the Conntexted Workspaces feature to change the displayed status of ...

  • EPSS 0.31%
  • Veröffentlicht 09.04.2026 10:12:45
  • Zuletzt bearbeitet 17.04.2026 20:31:03

Mattermost Plugins versions <=2.1.3.0 fail to limit the request body size on the {{/changes}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost A...

  • EPSS 0.31%
  • Veröffentlicht 09.04.2026 10:09:23
  • Zuletzt bearbeitet 25.04.2026 18:02:06

Mattermost Plugins versions <=2.3.1 fail to limit the request body size on the {{/lifecycle}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost A...

  • EPSS 0.38%
  • Veröffentlicht 06.04.2026 12:06:22
  • Zuletzt bearbeitet 07.04.2026 13:20:35

Mattermost Plugin Legal Hold versions <=1.1.4 fail to halt request processing after a failed authorization check in ServeHTTP which allows an authenticated attacker to access, create, download, and delete legal hold data via crafted API requests to t...