Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
mattermost server vulnerabilities and exploits
(subscribe to this query)
6.4
CVSSv2
CVE-2017-18911
An issue exists in Mattermost Server prior to 3.8.2, 3.7.5, and 3.6.7. The X.509 certificate validation can be skipped for a TLS-based e-mail server.
Mattermost Mattermost Server
NA
CVE-2023-46701
Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plugin allowing an malicious user to get limited information about a post if they know the post ID
Mattermost Mattermost Server
NA
CVE-2023-6459
Mattermost is grouping calls in the /metrics endpoint by id and reports that id in the response. Since this id is the channelID, the public /metrics endpoint is revealing channelIDs.
Mattermost Mattermost Server
6
CVSSv2
CVE-2022-1384
Mattermost version 6.4.x and previous versions fails to properly check the plugin version when a plugin is installed from the Marketplace, which allows an authenticated and an authorized user to install and exploit an old plugin version from the Marketplace which might have known...
Mattermost Mattermost Server
NA
CVE-2023-3582
Mattermost fails to verify channel membership when linking a board to a channel allowing a low-privileged authenticated user to link a Board to a private channel they don't have access to,
Mattermost Mattermost Server
NA
CVE-2023-3584
Mattermost fails to properly check the authorization of POST /api/v4/teams when passing a team override scheme ID in the request, allowing an authenticated attacker with knowledge of a Team Override Scheme ID to create a new team with said team override scheme.
Mattermost Mattermost Server
NA
CVE-2023-3591
Mattermost fails to invalidate previously generated password reset tokens when a new reset token was created.
Mattermost Mattermost Server
5.8
CVSSv2
CVE-2022-1385
Mattermost 6.4.x and previous versions fails to properly invalidate pending email invitations when the action is performed from the system console, which allows accidentally invited users to join the workspace and access information from the public teams and channels.
Mattermost Mattermost Server
NA
CVE-2023-45316
Mattermost fails to validate if a relative path is passed in /plugins/playbooks/api/v0/telemetry/run/<telem_run_id> as a telemetry run ID, allowing an malicious user to use a path traversal payload that points to a different endpoint leading to a CSRF attack.
Mattermost Mattermost Server
4.3
CVSSv2
CVE-2016-11082
An issue exists in Mattermost Server prior to 2.2.0. It allows XSS via a crafted link.
Mattermost Mattermost Server
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-49333
CVE-2024-33901
CVE-2024-36001
CVE-2024-2835
firewall
XPath injection
authentication bypass
CVE-2024-22120
CVE-2024-32002
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
4
5
6
7
8
9
10
NEXT »