Mattermost

Mattermost

214 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
7.5

CVE-2025-30516

  • EPSS 0.06%
  • Veröffentlicht 14.04.2025 06:56:22
  • Zuletzt bearbeitet 24.09.2025 14:57:30

Mattermost Mobile Apps versions <=2.25.0  fail to terminate sessions during logout under certain conditions (e.g. poor connectivity), allowing unauthorized users on shared devices to access sensitive notification content via continued mobile notifica...

2.7

CVE-2025-24866

  • EPSS 0.22%
  • Veröffentlicht 10.04.2025 15:33:21
  • Zuletzt bearbeitet 01.10.2025 18:06:06

Mattermost versions 9.11.x <= 9.11.8  fail to enforce proper access controls on the /api/v4/audits endpoint, allowing users with delegated granular administration roles who lack access to Compliance Monitoring to retrieve User Activity Logs.

6.5

CVE-2025-1558

  • EPSS 0.12%
  • Veröffentlicht 24.03.2025 15:15:16
  • Zuletzt bearbeitet 25.09.2025 19:14:35

Mattermost Mobile Apps versions <=2.25.0 fail to properly validate GIF images prior to rendering which allows a malicious user to cause the Android application to crash via message containing a maliciously crafted GIF.

8.8

CVE-2025-25068

  • EPSS 0.17%
  • Veröffentlicht 21.03.2025 08:26:32
  • Zuletzt bearbeitet 27.03.2025 14:03:38

Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to enforce MFA on plugin endpoints, which allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes.

4.3

CVE-2025-24920

  • EPSS 0.11%
  • Veröffentlicht 21.03.2025 08:25:44
  • Zuletzt bearbeitet 27.03.2025 14:10:53

Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to restrict bookmark creation and updates in archived channels, which allows authenticated users created or update bookmarked in archived channels

6.5

CVE-2025-30179

  • EPSS 0.03%
  • Veröffentlicht 21.03.2025 08:24:57
  • Zuletzt bearbeitet 27.03.2025 14:45:47

Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to enforce MFA on certain search APIs, which allows authenticated attackers to bypass MFA protections via user search, channel search, or team search queries.

8.8

CVE-2025-25274

  • EPSS 0.33%
  • Veröffentlicht 21.03.2025 08:24:13
  • Zuletzt bearbeitet 27.03.2025 15:01:59

Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to restrict command execution in archived channels, which allows authenticated users to run commands in archived channels.

4.3

CVE-2025-27933

  • EPSS 0.11%
  • Veröffentlicht 21.03.2025 08:23:20
  • Zuletzt bearbeitet 27.03.2025 14:55:25

Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to fail to enforce channel conversion restrictions, which allows members with permission to convert public channels to private ones to also convert private ones to public

2.7

CVE-2025-27715

  • EPSS 0.09%
  • Veröffentlicht 21.03.2025 08:22:25
  • Zuletzt bearbeitet 27.03.2025 15:01:03

Mattermost versions 9.11.x <= 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team admins to joining private channels via crafted permalink links without explicit consent from them.

4.3

CVE-2025-1472

  • EPSS 0.1%
  • Veröffentlicht 19.03.2025 14:11:03
  • Zuletzt bearbeitet 01.10.2025 18:05:48

Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics.