Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Mattermost_server
(Mattermost)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 238 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2023-10-09 | CVE-2023-5330 | Mattermost fails to enforce a limit for the size of the cache entry for OpenGraph data allowing an attacker to send a specially crafted request to the /api/v4/opengraph filling the cache and turning the server unavailable. | Mattermost_server | 7.5 | ||
| 2023-10-09 | CVE-2023-5331 | Mattermost fails to properly check the creator of an attached file when adding the file to a draft post, potentially exposing unauthorized file information. | Mattermost_server | 5.3 | ||
| 2023-10-09 | CVE-2023-5333 | Mattermost fails to deduplicate input IDs allowing a simple user to cause the application to consume excessive resources and possibly crash by sending a specially crafted request to /api/v4/users/ids with multiple identical IDs. | Mattermost_server | 6.5 | ||
| 2023-12-06 | CVE-2023-6458 | Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perform a client-side path traversal. | Mattermost_server | 9.8 | ||
| 2023-12-06 | CVE-2023-6459 | Mattermost is grouping calls in the /metrics endpoint by id and reports that id in the response. Since this id is the channelID, the public /metrics endpoint is revealing channelIDs. | Mattermost_server | 5.3 | ||
| 2023-12-12 | CVE-2023-45316 | Mattermost fails to validate if a relative path is passed in /plugins/playbooks/api/v0/telemetry/run/<telem_run_id> as a telemetry run ID, allowing an attacker to use a path traversal payload that points to a different endpoint leading to a CSRF attack. | Mattermost_server | 8.8 | ||
| 2023-12-12 | CVE-2023-45847 | Mattermost fails to to check the length when setting the title in a run checklist in Playbooks, allowing an attacker to send a specially crafted request and crash the Playbooks plugin | Mattermost_server | 7.5 | ||
| 2023-12-12 | CVE-2023-46701 | Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plugin allowing an attacker to get limited information about a post if they know the post ID | Mattermost_server | 5.3 | ||
| 2023-12-12 | CVE-2023-49607 | Mattermost fails to validate the type of the "reminder" body request parameter allowing an attacker to crash the Playbook Plugin when updating the status dialog. | Mattermost_server | 7.5 | ||
| 2023-12-12 | CVE-2023-49809 | Mattermost fails to handle a null request body in the /add endpoint, allowing a simple member to send a request with null request body to that endpoint and make it crash. After a few repetitions, the plugin is disabled. | Mattermost_server | 6.5 |