An issue exists in Mattermost Server prior to 3.0.0. It allows XSS via a redirect URL.
mattermost mattermost server