Product:

Mattermost_server

(Mattermost)
Repositories

Unknown:

This might be proprietary software.

#Vulnerabilities 238
Date Id Summary Products Score Patch Annotated
2023-12-12 CVE-2023-46701 Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plugin allowing an attacker to get limited information about a post if they know the post ID Mattermost_server 5.3
2023-12-12 CVE-2023-49607 Mattermost fails to validate the type of the "reminder" body request parameter allowing an attacker to crash the Playbook Plugin when updating the status dialog. Mattermost_server 7.5
2023-12-12 CVE-2023-49809 Mattermost fails to handle a null request body in the /add endpoint, allowing a simple member to send a request with null request body to that endpoint and make it crash. After a few repetitions, the plugin is disabled.  Mattermost_server 6.5
2023-12-12 CVE-2023-49874 Mattermost fails to check whether a user is a guest when updating the tasks of a private playbook run allowing a guest to update the tasks of a private playbook run if they know the run ID. Mattermost_server 4.3
2023-12-12 CVE-2023-6547 Mattermost fails to validate team membership when a user attempts to access a playbook, allowing a user with permissions to a playbook but no permissions to the team the playbook is on to access and modify the playbook. This can happen if the user was once a member of the team, got permissions to the playbook and was then removed from the team.  Mattermost_server 5.4
2023-12-12 CVE-2023-6727 Mattermost fails to perform correct authorization checks when creating a playbook action, allowing users without access to the playbook to create playbook actions. If the playbook action created is to post a message in a channel based on specific keywords in a post, some playbook information, like the name, can be leaked.  Mattermost_server 4.3
2023-12-29 CVE-2023-7113 Mattermost version 8.1.6 and earlier fails to sanitize channel mention data in posts, which allows an attacker to inject markup in the web client. Mattermost_server 6.1
2024-01-02 CVE-2023-47858 Mattermost fails to properly verify the permissions needed for viewing archived public channels,  allowing a member of one team to get details about the archived public channels of another team via the GET /api/v4/teams/<team-id>/channels/deleted endpoint. Mattermost_server 4.3
2024-01-02 CVE-2023-48732 Mattermost fails to scope the WebSocket response around notified users to a each user separately resulting in the WebSocket broadcasting the information about who was notified about a post to everyone else in the channel. Mattermost_server 4.3
2024-01-02 CVE-2023-50333 Mattermost fails to update the permissions of the current session for a user who was just demoted to guest, allowing freshly demoted guests to change group names. Mattermost_server 4.3