Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Mattermost
(Mattermost)Repositories |
Unknown: This might be proprietary software. |
#Vulnerabilities | 57 |
Date | Id | Summary | Products | Score | Patch | Annotated |
---|---|---|---|---|---|---|
2023-11-06 | CVE-2023-5967 | Mattermost fails to properly validate requests to the Calls plugin, allowing an attacker sending a request without a User Agent header to cause a panic and crash the Calls plugin | Mattermost | 4.3 | ||
2023-11-06 | CVE-2023-5968 | Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body. | Mattermost | 4.9 | ||
2023-11-06 | CVE-2023-5969 | Mattermost fails to properly sanitize the request to /api/v4/redirect_location allowing an attacker, sending a specially crafted request to /api/v4/redirect_location, to fill up the memory due to caching large items. | Mattermost | 5.3 | ||
2022-11-23 | CVE-2022-4019 | A denial-of-service vulnerability in the Mattermost Playbooks plugin allows an authenticated user to crash the server via multiple large requests to one of the Playbooks API endpoints. | Mattermost | 6.5 | ||
2022-11-23 | CVE-2022-4045 | A denial-of-service vulnerability in the Mattermost allows an authenticated user to crash the server via multiple requests to one of the API endpoints which could fetch a large amount of data. | Mattermost | 6.5 | ||
2023-02-27 | CVE-2023-27263 | A missing permissions check in the /plugins/playbooks/api/v0/runs API in Mattermost allows an attacker to list and view playbooks belonging to a team they are not a member of. | Mattermost | 6.5 | ||
2023-02-27 | CVE-2023-27264 | A missing permissions check in Mattermost Playbooks in Mattermost allows an attacker to modify a playbook via the /plugins/playbooks/api/v0/playbooks/[playbookID] API. | Mattermost | 6.5 | ||
2023-03-22 | CVE-2023-1562 | Mattermost fails to check the "Show Full Name" setting when rendering the result for the /plugins/focalboard/api/v2/users API call, allowing an attacker to learn the full name of a board owner. | Mattermost | 4.3 | ||
2023-10-17 | CVE-2023-5522 | Mattermost Mobile fails to limit the maximum number of Markdown elements in a post allowing an attacker to send a post with hundreds of emojis to a channel and freeze the mobile app of users when viewing that particular channel. | Mattermost | 4.3 | ||
2023-10-02 | CVE-2023-5160 | Mattermost fails to check the Show Full Name option at the /api/v4/teams/TEAM_ID/top/team_members endpoint allowing a member to get the full name of another user even if the Show Full Name option was disabled | Mattermost | 4.3 |