Mattermost

Mattermost

180 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
4.3

CVE-2025-24920

  • EPSS 0.06%
  • Published 21.03.2025 08:25:44
  • Last modified 27.03.2025 14:10:53

Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to restrict bookmark creation and updates in archived channels, which allows authenticated users created or update bookmarked in archived channels

6.5

CVE-2025-30179

  • EPSS 0.05%
  • Published 21.03.2025 08:24:57
  • Last modified 27.03.2025 14:45:47

Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to enforce MFA on certain search APIs, which allows authenticated attackers to bypass MFA protections via user search, channel search, or team search queries.

8.8

CVE-2025-25274

  • EPSS 0.09%
  • Published 21.03.2025 08:24:13
  • Last modified 27.03.2025 15:01:59

Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to restrict command execution in archived channels, which allows authenticated users to run commands in archived channels.

4.3

CVE-2025-27933

  • EPSS 0.05%
  • Published 21.03.2025 08:23:20
  • Last modified 27.03.2025 14:55:25

Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to fail to enforce channel conversion restrictions, which allows members with permission to convert public channels to private ones to also convert private ones to public

2.7

CVE-2025-27715

  • EPSS 0.04%
  • Published 21.03.2025 08:22:25
  • Last modified 27.03.2025 15:01:03

Mattermost versions 9.11.x <= 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team admins to joining private channels via crafted permalink links without explicit consent from them.

4.3

CVE-2025-1472

  • EPSS 0.05%
  • Published 19.03.2025 14:11:03
  • Last modified 01.10.2025 18:05:48

Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics.

3.3

CVE-2025-1398

  • EPSS 0.02%
  • Published 17.03.2025 14:19:51
  • Last modified 25.09.2025 19:14:25

Mattermost Desktop App versions <=5.10.0 explicitly declared unnecessary macOS entitlements which allows an attacker with remote access to bypass Transparency, Consent, and Control (TCC) via code injection.

6.5

CVE-2025-20051

  • EPSS 0.14%
  • Published 24.02.2025 08:15:10
  • Last modified 18.08.2025 18:22:38

Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate input when patching and duplicating a board, which allows a user to read any arbitrary file on the system via duplicating a specially...

6.5

CVE-2025-24490

  • EPSS 0.11%
  • Published 24.02.2025 08:15:10
  • Last modified 01.10.2025 18:03:04

Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to use prepared statements in the SQL query of boards reordering which allows an attacker to retrieve data from the database, via a SQL injection when reo...

4.3

CVE-2025-24526

  • EPSS 0.06%
  • Published 24.02.2025 08:15:10
  • Last modified 01.10.2025 18:03:20

Mattermost versions 10.1.x <= 10.1.3, 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to restrict channel export of archived channels when the "Allow users to view archived channels" is disabled which allows a user to expo...