Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Mattermost_server
(Mattermost)Repositories |
Unknown: This might be proprietary software. |
#Vulnerabilities | 238 |
Date | Id | Summary | Products | Score | Patch | Annotated |
---|---|---|---|---|---|---|
2023-12-12 | CVE-2023-46701 | Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plugin allowing an attacker to get limited information about a post if they know the post ID | Mattermost_server | 5.3 | ||
2023-12-12 | CVE-2023-49607 | Mattermost fails to validate the type of the "reminder" body request parameter allowing an attacker to crash the Playbook Plugin when updating the status dialog. | Mattermost_server | 7.5 | ||
2023-12-12 | CVE-2023-49809 | Mattermost fails to handle a null request body in the /add endpoint, allowing a simple member to send a request with null request body to that endpoint and make it crash. After a few repetitions, the plugin is disabled. | Mattermost_server | 6.5 | ||
2023-12-12 | CVE-2023-49874 | Mattermost fails to check whether a user is a guest when updating the tasks of a private playbook run allowing a guest to update the tasks of a private playbook run if they know the run ID. | Mattermost_server | 4.3 | ||
2023-12-12 | CVE-2023-6547 | Mattermost fails to validate team membership when a user attempts to access a playbook, allowing a user with permissions to a playbook but no permissions to the team the playbook is on to access and modify the playbook. This can happen if the user was once a member of the team, got permissions to the playbook and was then removed from the team. | Mattermost_server | 5.4 | ||
2023-12-12 | CVE-2023-6727 | Mattermost fails to perform correct authorization checks when creating a playbook action, allowing users without access to the playbook to create playbook actions. If the playbook action created is to post a message in a channel based on specific keywords in a post, some playbook information, like the name, can be leaked. | Mattermost_server | 4.3 | ||
2023-12-29 | CVE-2023-7113 | Mattermost version 8.1.6 and earlier fails to sanitize channel mention data in posts, which allows an attacker to inject markup in the web client. | Mattermost_server | 6.1 | ||
2024-01-02 | CVE-2023-47858 | Mattermost fails to properly verify the permissions needed for viewing archived public channels, allowing a member of one team to get details about the archived public channels of another team via the GET /api/v4/teams/<team-id>/channels/deleted endpoint. | Mattermost_server | 4.3 | ||
2024-01-02 | CVE-2023-48732 | Mattermost fails to scope the WebSocket response around notified users to a each user separately resulting in the WebSocket broadcasting the information about who was notified about a post to everyone else in the channel. | Mattermost_server | 4.3 | ||
2024-01-02 | CVE-2023-50333 | Mattermost fails to update the permissions of the current session for a user who was just demoted to guest, allowing freshly demoted guests to change group names. | Mattermost_server | 4.3 |