Vulnerabilites related to mattermost - mattermost_server
Vulnerability from fkie_nvd
Published
2020-06-19 18:15
Modified
2024-11-21 04:03
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. It did not enforce the expiration date of a SAML response.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 4.7.0 | |
| mattermost | mattermost_server | 4.7.0 | |
| mattermost | mattermost_server | 4.7.0 | |
| mattermost | mattermost_server | 4.7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E3C7A37D-AB68-481A-BFAC-99C52549AF53",
"versionEndExcluding": "4.5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B1646FC2-6616-4982-BFC2-5F429167BBC6",
"versionEndExcluding": "4.6.2",
"versionStartIncluding": "4.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.7.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "20A02468-1390-4956-BA9A-552CE6A5B8E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.7.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "A36AC2FD-D698-463E-B6E4-E98578578B22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.7.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "1367CF10-1AA7-4ACE-8EB5-3E79CF74C2D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.7.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "860BF218-5019-4CA2-A3E8-345947CCAF9B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. It did not enforce the expiration date of a SAML response."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.7.0, 4.6.2 y 4.5.2. No hizo aplico la fecha de vencimiento de una respuesta SAML"
}
],
"id": "CVE-2018-21264",
"lastModified": "2024-11-21T04:03:19.310",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T18:15:10.803",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-09-23 15:15
Modified
2024-11-21 07:19
Severity ?
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which allows authenticated users to cause resource exhaustion while processing the file, resulting in server-side Denial of Service.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://hackerone.com/reports/1620170 | Exploit, Third Party Advisory | |
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hackerone.com/reports/1620170 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9507DE58-215B-472C-8410-DF0ED6F6CF81",
"versionEndExcluding": "7.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which allows authenticated users to cause resource exhaustion while processing the file, resulting in server-side Denial of Service."
},
{
"lang": "es",
"value": "Mattermost versi\u00f3n 7.1.x y anteriores, no procesan suficientemente un archivo GIF espec\u00edficamente dise\u00f1ado cuando es descargado mientras es redactada una publicaci\u00f3n, lo que permite a usuarios autenticados causar el agotamiento de los recursos mientras es procesado el archivo, resultando en una Denegaci\u00f3n de Servicio del lado del servidor."
}
],
"id": "CVE-2022-3257",
"lastModified": "2024-11-21T07:19:09.480",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-09-23T15:15:13.857",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/1620170"
},
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/1620170"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-07-17 16:15
Modified
2024-11-21 08:17
Severity ?
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Summary
Mattermost fails to properly show information in the UI, allowing a system admin to modify a board state allowing any user with a valid sharing link to join the board with editor access, without the UI showing the updated permissions.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3F71A811-27D2-4953-9C3A-4AC6B27AF1A8",
"versionEndExcluding": "7.8.7",
"versionStartIncluding": "7.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "401CC11A-1059-44A2-87BA-601024BD178E",
"versionEndExcluding": "7.10.3",
"versionStartIncluding": "7.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost fails to properly show information in the UI, allowing a system admin to modify a board state allowing any user with a valid sharing link to join the board with editor access, without the UI showing the updated permissions.\n\n"
}
],
"id": "CVE-2023-3587",
"lastModified": "2024-11-21T08:17:36.643",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-17T16:15:10.780",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 19:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover a team invite ID by requesting a JSON document.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D17BC777-43D7-4B7B-B969-23B85BC94AF9",
"versionEndExcluding": "3.10.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "88AA2DE4-716D-43AD-BD34-DFA48FCBE22E",
"versionEndExcluding": "4.0.4",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover a team invite ID by requesting a JSON document."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.1.0, 4.0.4 y 3.10.3. Permite a atacantes detectar un ID de invitaci\u00f3n de equipo al solicitar un documento JSON"
}
],
"id": "CVE-2017-18901",
"lastModified": "2024-11-21T03:21:13.087",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T19:15:11.577",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 17:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It mishandles permissions for user-access token creation.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 5.7.0 | |
| mattermost | mattermost_server | 5.7.0 | |
| mattermost | mattermost_server | 5.7.0 | |
| mattermost | mattermost_server | 5.7.0 | |
| mattermost | mattermost_server | 5.7.0 | |
| mattermost | mattermost_server | 5.7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E25AF9D2-E3CE-4908-B1E1-881902AB0288",
"versionEndExcluding": "4.10.5",
"versionStartIncluding": "4.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D58AA43B-3BA9-49E8-9990-C75EDD80DBB4",
"versionEndExcluding": "5.5.2",
"versionStartIncluding": "5.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "265633A5-B99D-410D-AA05-EEC2C2D0737A",
"versionEndExcluding": "5.6.3",
"versionStartIncluding": "5.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.7.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "549BD8DD-BDE8-4BD2-AF2F-FB1524FD03B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.7.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "F9617DF4-C088-45E2-B5AE-ACDC67C506F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.7.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "4984DC54-ECA8-4D09-AC07-A0B6AFF2BDE8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.7.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "6759822F-9E3B-43AF-94A6-76D12D31B2CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.7.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "AFE07030-5623-422C-A324-1D5504B21E7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.7.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "2B1A93DE-561B-41BD-86D3-C75471854A25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It mishandles permissions for user-access token creation."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.7, 5.6.3, 5.5.2 y 4.10.5. Maneja inapropiadamente los permisos para la creaci\u00f3n de tokens de acceso de usuario"
}
],
"id": "CVE-2019-20889",
"lastModified": "2024-11-21T04:39:37.517",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T17:15:14.020",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 20:15
Modified
2024-11-21 02:45
Severity ?
Summary
An issue was discovered in Mattermost Server before 3.0.0. It allows attackers to obtain sensitive information about team URLs via an API.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "146D9026-7214-4461-8584-AF9690AC3B2C",
"versionEndExcluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.0.0. It allows attackers to obtain sensitive information about team URLs via an API."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 3.0.0. Permite a atacantes obtener informaci\u00f3n confidencial sobre las URL del equipo por medio de una API"
}
],
"id": "CVE-2016-11075",
"lastModified": "2024-11-21T02:45:26.520",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T20:15:11.507",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 17:15
Modified
2024-11-21 04:03
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.3.0. It mishandles timing.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D0BE32F3-2D9E-4D09-8C27-8A302D1B0113",
"versionEndExcluding": "5.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.3.0. It mishandles timing."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.3.0. Maneja inapropiadamente la sincronizaci\u00f3n"
}
],
"id": "CVE-2018-21249",
"lastModified": "2024-11-21T04:03:17.240",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T17:15:12.380",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 15:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.15.0. Login access control can be bypassed via crafted input.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 5.9.0 | |
| mattermost | mattermost_server | 5.9.0 | |
| mattermost | mattermost_server | 5.9.0 | |
| mattermost | mattermost_server | 5.9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "622E94AF-4BC7-42D4-B750-F72EECB98C8A",
"versionEndExcluding": "4.10.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "93D446DC-CA4C-4C09-80DA-525D91E2EA36",
"versionEndExcluding": "5.7.3",
"versionStartIncluding": "5.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "243BABD9-CBA3-49EB-9F09-C9F1B98BF11C",
"versionEndExcluding": "5.8.1",
"versionStartIncluding": "5.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B769FC2A-E54F-4C2C-A42B-3FC78B90F4EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "49479373-44B5-4CFF-9F92-44534F99CED6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "314EB74B-91A9-4D97-A97F-365E214BD105",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "FF4140FA-6A46-4307-B78D-1A0A6C73B0A5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.15.0. Login access control can be bypassed via crafted input."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.15.0. El control de acceso de inicio de sesi\u00f3n puede ser omitido por medio de una entrada dise\u00f1ada"
}
],
"id": "CVE-2019-20859",
"lastModified": "2024-11-21T04:39:33.067",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T15:15:10.680",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 19:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. Display names allow XSS.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 4.2.0 | |
| mattermost | mattermost_server | 4.2.0 | |
| mattermost | mattermost_server | 4.2.0 | |
| mattermost | mattermost_server | 4.2.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8DABD3D9-ABA0-435A-826E-894B85BF330B",
"versionEndExcluding": "4.0.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C98DA462-E8C3-4011-995F-1D813670A5F7",
"versionEndExcluding": "4.1.1",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "DBCAAA7B-C893-48F1-B72C-06101B26EA48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7103DBD3-7169-4EF7-8354-122E98FBE442",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.2.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "C1F4BE86-1DEE-4730-8CC6-64A05A0C85EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.2.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "B725A0DC-8A41-4788-A705-2EE23EE13009",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. Display names allow XSS."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.2.0, 4.1.1 y 4.0.5. Los nombres a desplegar permiten un ataque de tipo XSS"
}
],
"id": "CVE-2017-18893",
"lastModified": "2024-11-21T03:21:11.880",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T19:15:10.903",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-09 16:15
Modified
2024-11-21 08:50
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Summary
Mattermost fails to check if a custom emoji reaction exists when sending it to a post and to limit the amount of custom emojis allowed to be added in a post, allowing an attacker sending a huge amount of non-existent custom emojis in a post to crash the mobile app of a user seeing the post and to crash the server due to overloading when clients attempt to retrive the aforementioned post.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8C15FCA4-0D78-4869-B363-E7BE70D01A40",
"versionEndIncluding": "8.1.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CF155062-28AC-4ABE-A2E2-17851686BEB1",
"versionEndIncluding": "9.1.4",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "99A3CA31-1C54-4BAB-85EA-AF8B4795FB08",
"versionEndIncluding": "9.2.3",
"versionStartIncluding": "9.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost fails to check if a custom emoji reaction exists when sending it to a post and to limit the amount of custom emojis allowed to be added in a post, allowing an attacker sending a huge amount of non-existent custom emojis in a post to crash the mobile app of a user seeing the post and to crash the server due to overloading when clients attempt to retrive the aforementioned post.\u00a0\n\n"
},
{
"lang": "es",
"value": "Mattermost no verifica si existe una reacci\u00f3n de emoji personalizada al enviarla a una publicaci\u00f3n y no limita la cantidad de emojis personalizados que se pueden agregar en una publicaci\u00f3n, lo que permite que un atacante que env\u00eda una gran cantidad de emojis personalizados inexistentes en una publicaci\u00f3n falle la aplicaci\u00f3n m\u00f3vil de un usuario que ve la publicaci\u00f3n."
}
],
"id": "CVE-2024-1402",
"lastModified": "2024-11-21T08:50:30.447",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-09T16:15:07.880",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 17:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.8.0. The first user is sometimes inadvertently a system admin.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "64F6DEC5-61C3-4F30-A82F-604FF6213C27",
"versionEndExcluding": "5.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.8.0. The first user is sometimes inadvertently a system admin."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.8.0. El primer usuario es a veces inadvertidamente un administrador del sistema"
}
],
"id": "CVE-2019-20886",
"lastModified": "2024-11-21T04:39:37.083",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T17:15:13.833",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-12-12 09:15
Modified
2024-11-21 08:33
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
Mattermost fails to check whether a user is a guest when updating the tasks of a private playbook run allowing a guest to update the tasks of a private playbook run if they know the run ID.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "367753A5-CE5B-4EA7-8539-6ACFBC9ACABE",
"versionEndIncluding": "7.8.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "553B4894-FB79-4996-BDEC-273EF6E96D9D",
"versionEndIncluding": "8.1.5",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0856C685-4154-4549-B60A-4251C9E6B916",
"versionEndIncluding": "9.0.3",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9AB6EA21-B7ED-487D-B131-FA200023179E",
"versionEndIncluding": "9.1.2",
"versionStartIncluding": "9.1.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D00348C4-CEE7-474E-BBDC-4A66D6BBA4C8",
"versionEndIncluding": "9.2.1",
"versionStartIncluding": "9.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost fails to check whether a user is a guest when updating the tasks of a private playbook run allowing a\u00a0guest to update the tasks of a private playbook run if they know the run ID.\n\n"
},
{
"lang": "es",
"value": "Mattermost no verifica si un usuario es un invitado al actualizar las tareas de una ejecuci\u00f3n de un playbook privado, lo que permite a un invitado actualizar las tareas de una ejecuci\u00f3n de un playbook privado si conoce el ID de la ejecuci\u00f3n."
}
],
"id": "CVE-2023-49874",
"lastModified": "2024-11-21T08:33:58.347",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-12T09:15:09.310",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 19:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. CSRF can occur if CORS is enabled.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B9810018-925D-4842-A38A-00743CDBFCC0",
"versionEndExcluding": "3.9.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "592EBE66-F1CC-46C6-BB06-D204C5C20544",
"versionEndExcluding": "3.10.2",
"versionStartIncluding": "3.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. CSRF can occur if CORS is enabled."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.0.0, 3.10.2 y 3.9.2. Un ataque de tipo CSRF puede presentarse si CORS est\u00e1 habilitado"
}
],
"id": "CVE-2017-18903",
"lastModified": "2024-11-21T03:21:13.363",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 4.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T19:15:11.717",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 19:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows crafted posts that potentially cause a web browser to hang.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 4.2.0 | |
| mattermost | mattermost_server | 4.2.0 | |
| mattermost | mattermost_server | 4.2.0 | |
| mattermost | mattermost_server | 4.2.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8DABD3D9-ABA0-435A-826E-894B85BF330B",
"versionEndExcluding": "4.0.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C98DA462-E8C3-4011-995F-1D813670A5F7",
"versionEndExcluding": "4.1.1",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "DBCAAA7B-C893-48F1-B72C-06101B26EA48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7103DBD3-7169-4EF7-8354-122E98FBE442",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.2.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "C1F4BE86-1DEE-4730-8CC6-64A05A0C85EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.2.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "B725A0DC-8A41-4788-A705-2EE23EE13009",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows crafted posts that potentially cause a web browser to hang."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.2.0, 4.1.1 y 4.0.5. Permite publicaciones dise\u00f1adas que pueden causar que un navegador web se cuelgue"
}
],
"id": "CVE-2017-18898",
"lastModified": "2024-11-21T03:21:12.643",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T19:15:11.373",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-404"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 16:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.10.0. An attacker can bypass the intended appearance of the Edited flag after changing a post's file ID.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "73C885F5-7CE0-4382-9685-357F96C84AF4",
"versionEndExcluding": "5.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.10.0. An attacker can bypass the intended appearance of the Edited flag after changing a post\u0027s file ID."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.10.0. Un atacante puede omitir la apariencia prevista de una flagEdited despu\u00e9s de cambiar un ID del archivo de una publicaci\u00f3n"
}
],
"id": "CVE-2019-20870",
"lastModified": "2024-11-21T04:39:34.727",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T16:15:10.563",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 17:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.8.0. It does not always generate a robots.txt file.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "64F6DEC5-61C3-4F30-A82F-604FF6213C27",
"versionEndExcluding": "5.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.8.0. It does not always generate a robots.txt file."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.8.0. No siempre se genera un archivo robots.txt"
}
],
"id": "CVE-2019-20885",
"lastModified": "2024-11-21T04:39:36.933",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T17:15:13.770",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 20:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. After a restart of a server, an attacker might suddenly gain API Endpoint access.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2965755B-6C26-43BB-9EFC-9E9C2DD32C8B",
"versionEndExcluding": "3.6.7",
"versionStartIncluding": "3.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A164D156-BF18-421E-B54A-983E24E0F4A0",
"versionEndExcluding": "3.7.5",
"versionStartIncluding": "3.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "86BDAD96-71AA-4D79-B6E6-142D00B2C799",
"versionEndExcluding": "3.8.2",
"versionStartIncluding": "3.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. After a restart of a server, an attacker might suddenly gain API Endpoint access."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 3.8.2, 3.7.5 y 3.6.7. Luego de reiniciar un servidor, un atacante podr\u00eda conseguir repentinamente acceso al Endpoint de la API"
}
],
"id": "CVE-2017-18915",
"lastModified": "2024-11-21T03:21:15.077",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T20:15:12.413",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 16:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.12.0, 5.11.1, 5.10.2, 5.9.2, and 4.10.10. The login page allows CSRF.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 5.12.0 | |
| mattermost | mattermost_server | 5.12.0 | |
| mattermost | mattermost_server | 5.12.0 | |
| mattermost | mattermost_server | 5.12.0 | |
| mattermost | mattermost_server | 5.12.0 | |
| mattermost | mattermost_server | 5.12.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CF15413F-1CED-4450-AC57-AB19A58ACE6D",
"versionEndExcluding": "4.10.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "056C4668-8729-4D90-9EEB-618DB577F4EE",
"versionEndExcluding": "5.9.2",
"versionStartIncluding": "5.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F29F9E71-AE9D-4B55-9E09-3DE4DE34ACCD",
"versionEndExcluding": "5.10.2",
"versionStartIncluding": "5.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5C86EC7D-4B0A-4D19-9B69-7DBD9A7A5086",
"versionEndExcluding": "5.11.1",
"versionStartIncluding": "5.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.12.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "04564EB8-46EF-4CE5-BA4A-9196574373ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.12.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "6BF94103-DC2E-404B-BDE2-593D1B38E62E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.12.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "0B950F72-1FD8-4EDB-AA8A-D9B690F0C89B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.12.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "4E1C3EDC-CFC8-4095-8951-E7EBD5B4FE4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.12.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "19CE467D-48D1-4B5F-86C1-727F1AE0DD23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.12.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "BB6CD65C-0212-41FD-84C8-EBC0C7C3755C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.12.0, 5.11.1, 5.10.2, 5.9.2, and 4.10.10. The login page allows CSRF."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.12.0, 5.11.1, 5.10.2, 5.9.2 y 4.10.10. La p\u00e1gina de inicio de sesi\u00f3n permite un ataque de tipo CSRF"
}
],
"id": "CVE-2019-20865",
"lastModified": "2024-11-21T04:39:33.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T16:15:10.203",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 17:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.8.0, when Town Square is set to Read-Only. Users can pin or unpin a post.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "64F6DEC5-61C3-4F30-A82F-604FF6213C27",
"versionEndExcluding": "5.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.8.0, when Town Square is set to Read-Only. Users can pin or unpin a post."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.8.0, cuando Town Square es establecido a Solo Lectura. Unos usuarios pueden anclar o desanclar una publicaci\u00f3n"
}
],
"id": "CVE-2019-20883",
"lastModified": "2024-11-21T04:39:36.653",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T17:15:13.663",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-09 15:15
Modified
2024-11-21 08:57
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
Summary
Mattermost Jira Plugin fails to protect against logout CSRF allowing an attacker to post a specially crafted message that would disconnect a user's Jira connection in Mattermost only by viewing the message.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8C15FCA4-0D78-4869-B363-E7BE70D01A40",
"versionEndIncluding": "8.1.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost Jira Plugin fails to protect against logout CSRF allowing an attacker to post a specially crafted message that would disconnect a user\u0027s\u00a0Jira connection in Mattermost only by viewing the message."
},
{
"lang": "es",
"value": "El complemento Mattermost Jira no protege contra el cierre de sesi\u00f3n CSRF, lo que permite a un atacante publicar un mensaje especialmente manipulado que desconectar\u00eda la conexi\u00f3n Jira de un usuario en Mattermost solo al ver el mensaje."
}
],
"id": "CVE-2024-23319",
"lastModified": "2024-11-21T08:57:29.683",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-09T15:15:08.133",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 19:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS can occur via OpenGraph data.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72250CFB-47F9-40AE-BBD0-179D27CCF49D",
"versionEndExcluding": "4.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7FE7E6F1-5B34-4D19-8B93-ED2E9EFFCAF3",
"versionEndExcluding": "4.2.1",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FB71A82C-2F6A-49EC-A541-1600304F4D37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "91E5A299-021B-451B-95E2-4DC2DD6FF50B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "471DFF36-36F3-4904-B5E9-091C259181A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "A8772DEC-C002-443E-9609-1CC2A6FD8037",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS can occur via OpenGraph data."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.3.0, 4.2.1 y 4.1.2. Un ataque de tipo XSS puede presentarse por medio de datos de OpenGraph"
}
],
"id": "CVE-2017-18882",
"lastModified": "2024-11-21T03:21:10.270",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T19:15:10.247",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-04-17 15:15
Modified
2024-11-21 07:39
Severity ?
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Mattermost fails to redact from audit logs the user password during user creation and the user password hash in other operations if the experimental audit logging configuration was enabled (ExperimentalAuditSettings section in config).
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 7.9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FF73F9C4-BCB6-4C2A-8670-FEC62E0F1F65",
"versionEndExcluding": "7.7.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7A56BF61-5431-49BE-8D40-7C4DF2684087",
"versionEndExcluding": "7.8.2",
"versionStartIncluding": "7.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:7.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "638E6C89-8468-444A-BDBF-9A3086BBC269",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost fails to redact from audit logs\u00a0the user password during user creation and the user password hash in other operations if the experimental audit logging configuration was enabled (ExperimentalAuditSettings section in config).\n"
}
],
"id": "CVE-2023-1831",
"lastModified": "2024-11-21T07:39:59.037",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-17T15:15:06.923",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-319"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-29 11:15
Modified
2024-12-13 17:06
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, and 9.3.0 fail to sanitize the metadata on posts containing permalinks under specific conditions, which allows an authenticated attacker to access the contents of individual posts in channels they are not a member of.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 9.3.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7D16EAB8-89FC-4745-8C40-CC83EE7A42EE",
"versionEndExcluding": "8.1.9",
"versionStartIncluding": "8.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FC8F8F89-A3B1-4B3C-9ECE-F3FA8C64B41C",
"versionEndExcluding": "9.2.5",
"versionStartIncluding": "9.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:9.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6D6543F2-AF31-4A52-AAEA-3E5D37C0BCA2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, and 9.3.0 fail to sanitize the metadata on posts containing permalinks under specific conditions, which allows an authenticated attacker to access the contents of individual posts in channels they are not a member of.\n\n"
},
{
"lang": "es",
"value": "Las versiones 8.1.x anteriores a 8.1.9, 9.2.x anteriores a 9.2.5 y 9.3.0 de Mattermost no sanitizan los metadatos de las publicaciones que contienen enlaces permanentes en condiciones espec\u00edficas, lo que permite a un atacante autenticado acceder al contenido de publicaciones individuales en los canales que no eres miembro de."
}
],
"id": "CVE-2024-1942",
"lastModified": "2024-12-13T17:06:52.710",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-29T11:15:07.290",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 17:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.7. It allows a bypass of e-mail address discovery restrictions.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C45588FA-B90C-44DB-B367-31E70C01FCA4",
"versionEndExcluding": "5.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.7. It allows a bypass of e-mail address discovery restrictions."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.7. Permite omitir unas restricciones de detecci\u00f3n de direcciones de correo electr\u00f3nico"
}
],
"id": "CVE-2019-20890",
"lastModified": "2024-11-21T04:39:37.673",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T17:15:14.067",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 17:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can create arbitrary files.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72250CFB-47F9-40AE-BBD0-179D27CCF49D",
"versionEndExcluding": "4.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7FE7E6F1-5B34-4D19-8B93-ED2E9EFFCAF3",
"versionEndExcluding": "4.2.1",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FB71A82C-2F6A-49EC-A541-1600304F4D37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "91E5A299-021B-451B-95E2-4DC2DD6FF50B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "471DFF36-36F3-4904-B5E9-091C259181A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "A8772DEC-C002-443E-9609-1CC2A6FD8037",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can create arbitrary files."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.3.0, 4.2.1 y 4.1.2, cuando el almacenamiento local para archivos es usado. Un Administrador System puede crear archivos arbitrarios"
}
],
"id": "CVE-2017-18875",
"lastModified": "2024-11-21T03:21:09.280",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T17:15:12.117",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 19:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 3.9.0 when SAML is used. Encryption and signature verification are not mandatory.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4C298EE4-DB54-4B7C-8A07-DE50518F8942",
"versionEndExcluding": "3.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.9.0 when SAML is used. Encryption and signature verification are not mandatory."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 3.9.0, cuando se usa SAML. El cifrado y la verificaci\u00f3n de firma no son obligatorios"
}
],
"id": "CVE-2017-18909",
"lastModified": "2024-11-21T03:21:14.203",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T19:15:11.827",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-295"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 17:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6.5, and 4.10.7. Changes to e-mail addresses do not require credential re-entry.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 5.8.0 | |
| mattermost | mattermost_server | 5.8.0 | |
| mattermost | mattermost_server | 5.8.0 | |
| mattermost | mattermost_server | 5.8.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "70F0C7AE-BB5D-426C-84CC-2610A58A8267",
"versionEndExcluding": "4.10.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1DACDDEE-B65B-4645-853B-BB58BA504545",
"versionEndExcluding": "5.6.5",
"versionStartIncluding": "5.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "55AE89D4-FD0A-498F-9B2E-F455DA97D686",
"versionEndExcluding": "5.7.2",
"versionStartIncluding": "5.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.8.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "2FE207BF-1014-4D99-8795-130C659429AE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.8.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B0B7D3C4-9B51-4C95-BE86-1EFAB1176DFC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.8.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "91A97AD8-9DFD-478A-A92A-4F6A45AB1A3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.8.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "EA598408-A619-4668-83D0-2C9CCA78D2E5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6.5, and 4.10.7. Changes to e-mail addresses do not require credential re-entry."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.8.0, 5.7.2, 5.6.5 y 4.10.7. Los cambios en las direcciones de correo electr\u00f3nico no requieren el reingreso de credenciales"
}
],
"id": "CVE-2019-20879",
"lastModified": "2024-11-21T04:39:36.090",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T17:15:13.427",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 17:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.8.0. It allows attackers to partially attach a file to more than one post.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "64F6DEC5-61C3-4F30-A82F-604FF6213C27",
"versionEndExcluding": "5.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.8.0. It allows attackers to partially attach a file to more than one post."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.8.0. Permite a atacantes adjuntar parcialmente un archivo a m\u00e1s de una publicaci\u00f3n"
}
],
"id": "CVE-2019-20884",
"lastModified": "2024-11-21T04:39:36.790",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T17:15:13.707",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-01-02 10:15
Modified
2024-11-21 08:36
Severity ?
3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
Mattermost fails to update the permissions of the current session for a user who was just demoted to guest, allowing freshly demoted guests to change group names.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4FFBD373-195D-4481-B87D-5B329DBEC33D",
"versionEndExcluding": "8.1.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost fails to update the permissions of the current session for a user who was just demoted to guest, allowing\u00a0freshly demoted guests to change group names.\n\n"
},
{
"lang": "es",
"value": "Mattermost no actualiza los permisos de la sesi\u00f3n actual para un usuario que acaba de ser degradado a invitado, lo que permite a los invitados reci\u00e9n degradados cambiar los nombres de los grupos."
}
],
"id": "CVE-2023-50333",
"lastModified": "2024-11-21T08:36:51.637",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 2.5,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-01-02T10:15:08.723",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 19:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. It mishandles a deny action for a redirection.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 4.2.0 | |
| mattermost | mattermost_server | 4.2.0 | |
| mattermost | mattermost_server | 4.2.0 | |
| mattermost | mattermost_server | 4.2.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8DABD3D9-ABA0-435A-826E-894B85BF330B",
"versionEndExcluding": "4.0.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C98DA462-E8C3-4011-995F-1D813670A5F7",
"versionEndExcluding": "4.1.1",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "DBCAAA7B-C893-48F1-B72C-06101B26EA48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7103DBD3-7169-4EF7-8354-122E98FBE442",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.2.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "C1F4BE86-1DEE-4730-8CC6-64A05A0C85EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.2.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "B725A0DC-8A41-4788-A705-2EE23EE13009",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. It mishandles a deny action for a redirection."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.2.0, 4.1.1 y 4.0.5, cuando es usado como proveedor de servicios OAuth versi\u00f3n 2.0. Maneja inapropiadamente una acci\u00f3n de denegaci\u00f3n para una redirecci\u00f3n"
}
],
"id": "CVE-2017-18897",
"lastModified": "2024-11-21T03:21:12.497",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T19:15:11.327",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-08-01 15:15
Modified
2024-09-04 17:25
Severity ?
5.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Summary
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to properly validate synced posts, when shared channels are enabled, which allows a malicious remote to create/update/delete arbitrary posts in arbitrary channels
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 9.9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CBEB8F40-C2DE-4E6F-8772-1BBCA44795A8",
"versionEndExcluding": "9.5.7",
"versionStartIncluding": "9.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B5C9F963-57DF-41E2-AA46-242317D93786",
"versionEndExcluding": "9.7.6",
"versionStartIncluding": "9.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6B4559B7-83E7-41B2-96A8-51F467CCD882",
"versionEndExcluding": "9.8.2",
"versionStartIncluding": "9.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:9.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4BE71910-C7C4-4F33-BFD4-40D2EAA56DB1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 9.9.x \u003c= 9.9.0, 9.5.x \u003c= 9.5.6, 9.7.x \u003c= 9.7.5, 9.8.x \u003c= 9.8.1 fail to properly validate\u00a0synced posts, when shared channels are enabled,\u00a0\u00a0which allows a malicious remote to create/update/delete arbitrary posts in arbitrary channels"
},
{
"lang": "es",
"value": " Las versiones de Mattermost 9.9.x \u0026lt;= 9.9.0, 9.5.x \u0026lt;= 9.5.6, 9.7.x \u0026lt;= 9.7.5, 9.8.x \u0026lt;= 9.8.1 no validan correctamente las publicaciones sincronizadas cuando los canales compartidos est\u00e1n habilitados. que permite que un control remoto malicioso cree/actualice/elimine publicaciones arbitrarias en canales arbitrarios"
}
],
"id": "CVE-2024-41144",
"lastModified": "2024-09-04T17:25:48.123",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 4.2,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-08-01T15:15:13.427",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 19:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows SQL injection during the fetching of multiple posts.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72250CFB-47F9-40AE-BBD0-179D27CCF49D",
"versionEndExcluding": "4.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7FE7E6F1-5B34-4D19-8B93-ED2E9EFFCAF3",
"versionEndExcluding": "4.2.1",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FB71A82C-2F6A-49EC-A541-1600304F4D37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "91E5A299-021B-451B-95E2-4DC2DD6FF50B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "471DFF36-36F3-4904-B5E9-091C259181A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "A8772DEC-C002-443E-9609-1CC2A6FD8037",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows SQL injection during the fetching of multiple posts."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.3.0, 4.2.1 y 4.1.2. Permite una inyecci\u00f3n SQL durante la recuperaci\u00f3n de m\u00faltiples publicaciones"
}
],
"id": "CVE-2017-18888",
"lastModified": "2024-11-21T03:21:11.127",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T19:15:10.590",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 17:15
Modified
2024-11-21 04:03
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. An attacker could authenticate to a different user's account via a crafted SAML response.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 4.7.0 | |
| mattermost | mattermost_server | 4.7.0 | |
| mattermost | mattermost_server | 4.7.0 | |
| mattermost | mattermost_server | 4.7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E3C7A37D-AB68-481A-BFAC-99C52549AF53",
"versionEndExcluding": "4.5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B1646FC2-6616-4982-BFC2-5F429167BBC6",
"versionEndExcluding": "4.6.2",
"versionStartIncluding": "4.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.7.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "20A02468-1390-4956-BA9A-552CE6A5B8E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.7.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "A36AC2FD-D698-463E-B6E4-E98578578B22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.7.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "1367CF10-1AA7-4ACE-8EB5-3E79CF74C2D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.7.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "860BF218-5019-4CA2-A3E8-345947CCAF9B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. An attacker could authenticate to a different user\u0027s account via a crafted SAML response."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.7.0, 4.6.2 y 4.5.2. Un atacante podr\u00eda autenticarse en una cuenta de usuario diferente por medio de una respuesta SAML dise\u00f1ada"
}
],
"id": "CVE-2018-21263",
"lastModified": "2024-11-21T04:03:19.173",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T17:15:13.067",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 20:15
Modified
2024-11-21 02:45
Severity ?
Summary
An issue was discovered in Mattermost Server before 3.0.0. It has a superfluous API in which the System Admin can change the account name and e-mail address of an LDAP account.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "146D9026-7214-4461-8584-AF9690AC3B2C",
"versionEndExcluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.0.0. It has a superfluous API in which the System Admin can change the account name and e-mail address of an LDAP account."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 3.0.0. Presenta una API superflua en la que el administrador del sistema puede cambiar el nombre de la cuenta y la direcci\u00f3n de correo electr\u00f3nico de una cuenta LDAP"
}
],
"id": "CVE-2016-11077",
"lastModified": "2024-11-21T02:45:26.797",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T20:15:11.633",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 20:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. An external link can occur on an error page even if it is not on an allowlist.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0FC88F96-4FC6-4A4D-952A-B130E581D48A",
"versionEndExcluding": "3.6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A164D156-BF18-421E-B54A-983E24E0F4A0",
"versionEndExcluding": "3.7.5",
"versionStartIncluding": "3.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "86BDAD96-71AA-4D79-B6E6-142D00B2C799",
"versionEndExcluding": "3.8.2",
"versionStartIncluding": "3.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. An external link can occur on an error page even if it is not on an allowlist."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 3.8.2, 3.7.5 y 3.6.7. Un enlace externo puede presentarse en una p\u00e1gina de error incluso si no est\u00e1 en una lista de permitidos"
}
],
"id": "CVE-2017-18914",
"lastModified": "2024-11-21T03:21:14.940",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T20:15:12.367",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-754"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-10-29 09:15
Modified
2024-11-08 15:00
Severity ?
4.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L
4.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
4.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Summary
Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in Playbooks
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B60FBA3A-FBFF-4632-AAE0-63E3385D2C6C",
"versionEndIncluding": "9.5.9",
"versionStartIncluding": "9.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DB77A85B-6574-43F2-B910-EF9418677AB7",
"versionEndIncluding": "9.10.2",
"versionStartIncluding": "9.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A06E25CB-F05E-40DD-99AF-647EEA7B9DF2",
"versionEndIncluding": "9.11.1",
"versionStartIncluding": "9.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 9.10.x \u003c= 9.10.2, 9.11.x \u003c= 9.11.1, 9.5.x \u003c= 9.5.9 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in Playbooks"
},
{
"lang": "es",
"value": "Las versiones 9.10.x \u0026lt;= 9.10.2, 9.11.x \u0026lt;= 9.11.1, 9.5.x \u0026lt;= 9.5.9 de Mattermost no pueden desinfectar las entradas del usuario en el frontend que se utilizan para la redirecci\u00f3n, lo que permite un path traversal del lado del cliente con un solo clic que conduce a CSRF en Playbooks."
}
],
"id": "CVE-2024-46872",
"lastModified": "2024-11-08T15:00:42.473",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 2.5,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-10-29T09:15:07.350",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 17:15
Modified
2024-11-21 04:03
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.1. It allows attackers to cause a denial of service via the invite_people slash command.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E473B94D-A00F-4F9A-97D8-240019775FCC",
"versionEndExcluding": "5.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.1. It allows attackers to cause a denial of service via the invite_people slash command."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.1. Permite a atacantes causar una denegaci\u00f3n de servicio por medio del comando de barra diagonal invite_people"
}
],
"id": "CVE-2018-21258",
"lastModified": "2024-11-21T04:03:18.480",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T17:15:12.787",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 20:15
Modified
2024-11-21 02:45
Severity ?
Summary
An issue was discovered in Mattermost Server before 2.2.0. It allows unintended access to information stored by a web browser.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A9CF1900-D16F-4DD7-BA72-209E3B752C32",
"versionEndExcluding": "2.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 2.2.0. It allows unintended access to information stored by a web browser."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 2.2.0. Permite el acceso no deseado a una informaci\u00f3n almacenada por un navegador web"
}
],
"id": "CVE-2016-11081",
"lastModified": "2024-11-21T02:45:27.363",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T20:15:11.883",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-07-17 16:15
Modified
2024-11-21 08:17
Severity ?
4.2 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Summary
Mattermost fails to disable public Boards after the "Enable Publicly-Shared Boards" configuration option is disabled, resulting in previously-shared public Boards to remain accessible.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3F71A811-27D2-4953-9C3A-4AC6B27AF1A8",
"versionEndExcluding": "7.8.7",
"versionStartIncluding": "7.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B0D66512-A095-4557-A9AD-B02E306FC1C9",
"versionEndExcluding": "7.9.5",
"versionStartIncluding": "7.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "401CC11A-1059-44A2-87BA-601024BD178E",
"versionEndExcluding": "7.10.3",
"versionStartIncluding": "7.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost fails to disable\u00a0public Boards after the \"Enable Publicly-Shared Boards\" configuration option is disabled, resulting in\u00a0previously-shared\u00a0public Boards to remain accessible.\n\n"
}
],
"id": "CVE-2023-3586",
"lastModified": "2024-11-21T08:17:36.493",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 2.5,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-17T16:15:10.707",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 17:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It allows attackers to cause a denial of service (memory consumption) via an outgoing webhook or a slash command integration.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 5.7.0 | |
| mattermost | mattermost_server | 5.7.0 | |
| mattermost | mattermost_server | 5.7.0 | |
| mattermost | mattermost_server | 5.7.0 | |
| mattermost | mattermost_server | 5.7.0 | |
| mattermost | mattermost_server | 5.7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "58037740-3A1E-4E97-BF05-7FD0A029B352",
"versionEndExcluding": "4.10.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D58AA43B-3BA9-49E8-9990-C75EDD80DBB4",
"versionEndExcluding": "5.5.2",
"versionStartIncluding": "5.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "265633A5-B99D-410D-AA05-EEC2C2D0737A",
"versionEndExcluding": "5.6.3",
"versionStartIncluding": "5.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.7.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "549BD8DD-BDE8-4BD2-AF2F-FB1524FD03B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.7.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "F9617DF4-C088-45E2-B5AE-ACDC67C506F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.7.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "4984DC54-ECA8-4D09-AC07-A0B6AFF2BDE8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.7.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "6759822F-9E3B-43AF-94A6-76D12D31B2CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.7.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "AFE07030-5623-422C-A324-1D5504B21E7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.7.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "2B1A93DE-561B-41BD-86D3-C75471854A25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It allows attackers to cause a denial of service (memory consumption) via an outgoing webhook or a slash command integration."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.7, 5.6.3, 5.5.2 y 4.10.5. Permite a atacantes causar una denegaci\u00f3n de servicio (consumo de la memoria) por medio de un webhook saliente o una integraci\u00f3n de comando de barra diagonal"
}
],
"id": "CVE-2019-20888",
"lastModified": "2024-11-21T04:39:37.373",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T17:15:13.957",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-401"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-12-12 09:15
Modified
2024-11-21 08:26
Severity ?
7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Mattermost fails to validate if a relative path is passed in /plugins/playbooks/api/v0/telemetry/run/<telem_run_id> as a telemetry run ID, allowing an attacker to use a path traversal payload that points to a different endpoint leading to a CSRF attack.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "367753A5-CE5B-4EA7-8539-6ACFBC9ACABE",
"versionEndIncluding": "7.8.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "553B4894-FB79-4996-BDEC-273EF6E96D9D",
"versionEndIncluding": "8.1.5",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0856C685-4154-4549-B60A-4251C9E6B916",
"versionEndIncluding": "9.0.3",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9AB6EA21-B7ED-487D-B131-FA200023179E",
"versionEndIncluding": "9.1.2",
"versionStartIncluding": "9.1.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D00348C4-CEE7-474E-BBDC-4A66D6BBA4C8",
"versionEndIncluding": "9.2.1",
"versionStartIncluding": "9.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost fails to validate if a relative path is passed in /plugins/playbooks/api/v0/telemetry/run/\u003ctelem_run_id\u003e as a telemetry run ID, allowing an attacker to use a path traversal payload that points to a different endpoint leading to a\u00a0CSRF attack.\n\n"
},
{
"lang": "es",
"value": "Mattermost no logra validar si se pasa una ruta relativa en /plugins/playbooks/api/v0/telemetry/run/ como ID de ejecuci\u00f3n de telemetr\u00eda, lo que permite a un atacante usar un payload de path traversal que apunta a un endpoint diferente que conduce a un ataque CSRF."
}
],
"id": "CVE-2023-45316",
"lastModified": "2024-11-21T08:26:43.897",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.2,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-12T09:15:07.740",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
},
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 16:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.11.0. Invite IDs were improperly generated.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 5.9.0 | |
| mattermost | mattermost_server | 5.9.0 | |
| mattermost | mattermost_server | 5.9.0 | |
| mattermost | mattermost_server | 5.9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "622E94AF-4BC7-42D4-B750-F72EECB98C8A",
"versionEndExcluding": "4.10.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "93D446DC-CA4C-4C09-80DA-525D91E2EA36",
"versionEndExcluding": "5.7.3",
"versionStartIncluding": "5.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "243BABD9-CBA3-49EB-9F09-C9F1B98BF11C",
"versionEndExcluding": "5.8.1",
"versionStartIncluding": "5.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B769FC2A-E54F-4C2C-A42B-3FC78B90F4EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "49479373-44B5-4CFF-9F92-44534F99CED6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "314EB74B-91A9-4D97-A97F-365E214BD105",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "FF4140FA-6A46-4307-B78D-1A0A6C73B0A5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.11.0. Invite IDs were improperly generated."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.11.0. Unas ID de invitaci\u00f3n fueron generadas inapropiadamente"
}
],
"id": "CVE-2019-20868",
"lastModified": "2024-11-21T04:39:34.420",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T16:15:10.423",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 19:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via the title_link field of a Slack attachment.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72250CFB-47F9-40AE-BBD0-179D27CCF49D",
"versionEndExcluding": "4.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7FE7E6F1-5B34-4D19-8B93-ED2E9EFFCAF3",
"versionEndExcluding": "4.2.1",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FB71A82C-2F6A-49EC-A541-1600304F4D37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "91E5A299-021B-451B-95E2-4DC2DD6FF50B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "471DFF36-36F3-4904-B5E9-091C259181A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "A8772DEC-C002-443E-9609-1CC2A6FD8037",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via the title_link field of a Slack attachment."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.3.0, 4.2.1 y 4.1.2. Un ataque de tipo XSS podr\u00eda presentarse por medio del campo title_link de un archivo adjunto de Slack"
}
],
"id": "CVE-2017-18880",
"lastModified": "2024-11-21T03:21:09.993",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T19:15:10.137",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 19:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2, when serving as an OAuth 2.0 Service Provider. There is low entropy for authorization data.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72250CFB-47F9-40AE-BBD0-179D27CCF49D",
"versionEndExcluding": "4.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7FE7E6F1-5B34-4D19-8B93-ED2E9EFFCAF3",
"versionEndExcluding": "4.2.1",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FB71A82C-2F6A-49EC-A541-1600304F4D37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "91E5A299-021B-451B-95E2-4DC2DD6FF50B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "471DFF36-36F3-4904-B5E9-091C259181A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "A8772DEC-C002-443E-9609-1CC2A6FD8037",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2, when serving as an OAuth 2.0 Service Provider. There is low entropy for authorization data."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.3.0, 4.2.1 y 4.1.2, cuando sirve como proveedor de servicios OAuth versi\u00f3n 2.0. Hay poca entrop\u00eda para los datos de autorizaci\u00f3n"
}
],
"id": "CVE-2017-18883",
"lastModified": "2024-11-21T03:21:10.410",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T19:15:10.310",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-331"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 14:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.18.0. It allows attackers to cause a denial of service (memory consumption) via a large Slack import.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F20CF404-701D-4000-8CE9-5D03D41EB0F3",
"versionEndExcluding": "5.18.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.18.0. It allows attackers to cause a denial of service (memory consumption) via a large Slack import."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.18.0. Permite a atacantes causar una denegaci\u00f3n de servicio (consumo de la memoria) por medio de una importaci\u00f3n Slack de gran tama\u00f1o"
}
],
"id": "CVE-2019-20845",
"lastModified": "2024-11-21T04:39:30.983",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T14:15:10.573",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 17:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, 4.3.4, and 4.2.2. It allows attackers to cause a denial of service (application crash) via an @ character before a JavaScript field name.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 4.5.0 | |
| mattermost | mattermost_server | 4.5.0 | |
| mattermost | mattermost_server | 4.5.0 | |
| mattermost | mattermost_server | 4.5.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F3D8AAC6-8CFD-408B-A11E-E9F8A1846478",
"versionEndExcluding": "4.2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2311B658-A293-47CA-873A-E28F7443D4B8",
"versionEndExcluding": "4.3.4",
"versionStartIncluding": "4.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E6D90B0D-7882-4818-B2BA-D2B1A92C6C58",
"versionEndExcluding": "4.4.5",
"versionStartIncluding": "4.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.5.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "251BF2C1-3E96-46BF-9AA4-F30A19AF68C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.5.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "56BAD3A2-A337-4A00-B546-0A106A593052",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.5.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "D7394620-98B0-4859-B279-CF77E02D1F1C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.5.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "F2D92720-E499-4ED0-B323-49F5840527E3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, 4.3.4, and 4.2.2. It allows attackers to cause a denial of service (application crash) via an @ character before a JavaScript field name."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.5.0, 4.4.5, 4.3.4 y 4.2.2. Permite a atacantes causar una denegaci\u00f3n de servicio (bloqueo de la aplicaci\u00f3n) por medio de un car\u00e1cter @ antes de un nombre del campo JavaScript"
}
],
"id": "CVE-2017-18871",
"lastModified": "2024-11-21T03:21:08.633",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T17:15:11.867",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 19:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows CSV injection via a compliance report.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D17BC777-43D7-4B7B-B969-23B85BC94AF9",
"versionEndExcluding": "3.10.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "88AA2DE4-716D-43AD-BD34-DFA48FCBE22E",
"versionEndExcluding": "4.0.4",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows CSV injection via a compliance report."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.1.0, 4.0.4 y 3.10.3. Permite una inyecci\u00f3n de CSV por medio de un informe de cumplimiento"
}
],
"id": "CVE-2017-18900",
"lastModified": "2024-11-21T03:21:12.937",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T19:15:11.497",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-12-12 09:15
Modified
2024-11-21 08:27
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Mattermost fails to to check the length when setting the title in a run checklist in Playbooks, allowing an attacker to send a specially crafted request and crash the Playbooks plugin
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "367753A5-CE5B-4EA7-8539-6ACFBC9ACABE",
"versionEndIncluding": "7.8.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "553B4894-FB79-4996-BDEC-273EF6E96D9D",
"versionEndIncluding": "8.1.5",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0856C685-4154-4549-B60A-4251C9E6B916",
"versionEndIncluding": "9.0.3",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9AB6EA21-B7ED-487D-B131-FA200023179E",
"versionEndIncluding": "9.1.2",
"versionStartIncluding": "9.1.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D00348C4-CEE7-474E-BBDC-4A66D6BBA4C8",
"versionEndIncluding": "9.2.1",
"versionStartIncluding": "9.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost fails to to check the length when setting the title in a run checklist in Playbooks, allowing an attacker to send a specially crafted request and crash the Playbooks plugin\n\n"
},
{
"lang": "es",
"value": "Mattermost no verifica la longitud al configurar el t\u00edtulo en una lista de verificaci\u00f3n de ejecuci\u00f3n en Playbooks, lo que permite a un atacante enviar una solicitud especialmente manipulada y bloquear el complemento de Playbooks."
}
],
"id": "CVE-2023-45847",
"lastModified": "2024-11-21T08:27:28.717",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-12T09:15:07.983",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 20:15
Modified
2024-11-21 02:45
Severity ?
Summary
An issue was discovered in Mattermost Server before 3.3.0. An attacker could use the WebSocket feature to send pop-up messages to users or change a post's appearance.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8B659909-2881-423D-B4FC-CAC7BD13F54A",
"versionEndExcluding": "3.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.3.0. An attacker could use the WebSocket feature to send pop-up messages to users or change a post\u0027s appearance."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 3.3.0. Un atacante podr\u00eda usar la funcionalidad WebSocket para enviar mensajes emergentes a los usuarios o cambiar la apariencia de una publicaci\u00f3n"
}
],
"id": "CVE-2016-11065",
"lastModified": "2024-11-21T02:45:25.147",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T20:15:10.633",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 14:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.18.0. An attacker can send a user_typing WebSocket event to any channel.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F20CF404-701D-4000-8CE9-5D03D41EB0F3",
"versionEndExcluding": "5.18.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.18.0. An attacker can send a user_typing WebSocket event to any channel."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.18.0. Un atacante puede enviar un evento del WebSocket user_typing a cualquier canal"
}
],
"id": "CVE-2019-20847",
"lastModified": "2024-11-21T04:39:31.273",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T14:15:10.713",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 19:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows a bypass of restrictions on use of slash commands.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72250CFB-47F9-40AE-BBD0-179D27CCF49D",
"versionEndExcluding": "4.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7FE7E6F1-5B34-4D19-8B93-ED2E9EFFCAF3",
"versionEndExcluding": "4.2.1",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FB71A82C-2F6A-49EC-A541-1600304F4D37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "91E5A299-021B-451B-95E2-4DC2DD6FF50B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "471DFF36-36F3-4904-B5E9-091C259181A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "A8772DEC-C002-443E-9609-1CC2A6FD8037",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows a bypass of restrictions on use of slash commands."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.3.0, 4.2.1 y 4.1.2. Permite una omisi\u00f3n de las restricciones sobre el uso de comandos de barra diagonal"
}
],
"id": "CVE-2017-18886",
"lastModified": "2024-11-21T03:21:10.830",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T19:15:10.483",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 17:15
Modified
2024-11-21 04:03
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.10.1, 4.9.4, and 4.8.2. It allows attackers to cause a denial of service (application hang) via a malformed link in a channel.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2D1B6C17-7DD8-4F4C-AD57-4EC047DC6B7B",
"versionEndExcluding": "4.8.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3DDA8F1F-A624-4B46-B88F-6E9FD0AA3408",
"versionEndExcluding": "4.9.4",
"versionStartIncluding": "4.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CFBF89EB-4772-4D9E-8DB8-9C959111E6D2",
"versionEndExcluding": "4.10.1",
"versionStartIncluding": "4.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.10.1, 4.9.4, and 4.8.2. It allows attackers to cause a denial of service (application hang) via a malformed link in a channel."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.10.1, 4.9.4 y 4.8.2. Permite a atacantes causar una denegaci\u00f3n de servicio (suspensi\u00f3n de aplicaci\u00f3n) por medio de un enlace malformado en un canal"
}
],
"id": "CVE-2018-21259",
"lastModified": "2024-11-21T04:03:18.620",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T17:15:12.850",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-12-29 13:15
Modified
2024-11-21 08:45
Severity ?
3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Mattermost version 8.1.6 and earlier fails to sanitize channel mention data in posts, which allows an attacker to inject markup in the web client.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4FFBD373-195D-4481-B87D-5B329DBEC33D",
"versionEndExcluding": "8.1.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost version 8.1.6 and earlier fails to sanitize channel mention data in posts, which allows an attacker to inject markup in the web client.\n\n"
},
{
"lang": "es",
"value": "La versi\u00f3n 8.1.6 y anteriores de Mattermost no sanitizan los datos de menciones del canal en las publicaciones, lo que permite a un atacante inyectar marcas en el cliente web."
}
],
"id": "CVE-2023-7113",
"lastModified": "2024-11-21T08:45:18.417",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 2.5,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-29T13:15:11.930",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-09-26 08:15
Modified
2024-09-26 18:42
Severity ?
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Mattermost versions 9.5.x <= 9.5.8 fail to properly authorize access to archived channels when viewing archived channels is disabled, which allows an attacker to view posts and files of archived channels via file links.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BC97EDD1-AD9D-484B-99B0-D49541EFBA52",
"versionEndExcluding": "9.5.9",
"versionStartIncluding": "9.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 9.5.x \u003c= 9.5.8 fail to properly authorize access to archived channels when viewing archived channels is disabled, which allows\u00a0an attacker to view posts and files of archived channels via file links."
},
{
"lang": "es",
"value": "Las versiones 9.5.x \u0026lt;= 9.5.8 de Mattermost no autorizan correctamente el acceso a los canales archivados cuando la visualizaci\u00f3n de canales archivados est\u00e1 deshabilitada, lo que permite a un atacante ver publicaciones y archivos de canales archivados a trav\u00e9s de enlaces de archivos."
}
],
"id": "CVE-2024-47145",
"lastModified": "2024-09-26T18:42:33.550",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-09-26T08:15:06.403",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 20:15
Modified
2024-11-21 02:45
Severity ?
Summary
An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a redirect URL.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "146D9026-7214-4461-8584-AF9690AC3B2C",
"versionEndExcluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a redirect URL."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 3.0.0. Permite un ataque de tipo XSS por medio de una URL de redireccionamiento"
}
],
"id": "CVE-2016-11079",
"lastModified": "2024-11-21T02:45:27.083",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T20:15:11.743",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 17:15
Modified
2024-11-21 04:03
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.1. It allows attackers to bypass intended access restrictions (for setting a channel header) via the Channel header slash command API.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E473B94D-A00F-4F9A-97D8-240019775FCC",
"versionEndExcluding": "5.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.1. It allows attackers to bypass intended access restrictions (for setting a channel header) via the Channel header slash command API."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.1. Permite a atacantes omitir unas restricciones de acceso previstas (para establecer un encabezado de canal) por medio de la API de comando de barra diagonal del encabezado Channel"
}
],
"id": "CVE-2018-21257",
"lastModified": "2024-11-21T04:03:18.347",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T17:15:12.740",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 19:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can achieve directory traversal.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72250CFB-47F9-40AE-BBD0-179D27CCF49D",
"versionEndExcluding": "4.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7FE7E6F1-5B34-4D19-8B93-ED2E9EFFCAF3",
"versionEndExcluding": "4.2.1",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FB71A82C-2F6A-49EC-A541-1600304F4D37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "91E5A299-021B-451B-95E2-4DC2DD6FF50B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "471DFF36-36F3-4904-B5E9-091C259181A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "A8772DEC-C002-443E-9609-1CC2A6FD8037",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can achieve directory traversal."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.3.0, 4.2.1 y 4.1.2, cuando es usado almacenamiento local para archivos. Un administrador System puede lograr un salto de directorio"
}
],
"id": "CVE-2017-18874",
"lastModified": "2024-11-21T03:21:09.103",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T19:15:09.950",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 17:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. Users can deactivate themselves, bypassing a policy.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 5.9.0 | |
| mattermost | mattermost_server | 5.9.0 | |
| mattermost | mattermost_server | 5.9.0 | |
| mattermost | mattermost_server | 5.9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "622E94AF-4BC7-42D4-B750-F72EECB98C8A",
"versionEndExcluding": "4.10.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "93D446DC-CA4C-4C09-80DA-525D91E2EA36",
"versionEndExcluding": "5.7.3",
"versionStartIncluding": "5.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "243BABD9-CBA3-49EB-9F09-C9F1B98BF11C",
"versionEndExcluding": "5.8.1",
"versionStartIncluding": "5.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B769FC2A-E54F-4C2C-A42B-3FC78B90F4EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "49479373-44B5-4CFF-9F92-44534F99CED6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "314EB74B-91A9-4D97-A97F-365E214BD105",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "FF4140FA-6A46-4307-B78D-1A0A6C73B0A5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. Users can deactivate themselves, bypassing a policy."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.9.0, 5.8.1, 5.7.3 y 4.10.8. Unos usuarios pueden desactivarse a s\u00ed mismos, omitiendo una pol\u00edtica"
}
],
"id": "CVE-2019-20876",
"lastModified": "2024-11-21T04:39:35.633",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T17:15:13.257",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 15:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.13.0. Incoming webhook creation is not properly restricted.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3FCC29C7-66D2-4868-BED3-4AFDC30DAEA8",
"versionEndExcluding": "5.13.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.13.0. Incoming webhook creation is not properly restricted."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.13.0. Una creaci\u00f3n de webhook entrante no est\u00e1 restringida apropiadamente"
}
],
"id": "CVE-2019-20863",
"lastModified": "2024-11-21T04:39:33.657",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T15:15:10.930",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-04-25 14:15
Modified
2024-11-21 07:58
Severity ?
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
When archiving a team, Mattermost fails to sanitize the related Websocket event sent to currently connected clients. This allows the clients to see the name, display name, description, and other data about the archived team.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "94666C53-2515-42CF-9EE0-F3CD3B801751",
"versionEndExcluding": "7.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "When archiving a team, Mattermost fails to sanitize the related Websocket event sent to currently connected clients. This allows the clients to see the name, display name, description, and other data about the archived team.\n\n\n"
}
],
"id": "CVE-2023-2281",
"lastModified": "2024-11-21T07:58:18.110",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-25T14:15:09.423",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 19:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via a goto_location response to a slash command.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72250CFB-47F9-40AE-BBD0-179D27CCF49D",
"versionEndExcluding": "4.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7FE7E6F1-5B34-4D19-8B93-ED2E9EFFCAF3",
"versionEndExcluding": "4.2.1",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FB71A82C-2F6A-49EC-A541-1600304F4D37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "91E5A299-021B-451B-95E2-4DC2DD6FF50B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "471DFF36-36F3-4904-B5E9-091C259181A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "A8772DEC-C002-443E-9609-1CC2A6FD8037",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via a goto_location response to a slash command."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.3.0, 4.2.1 y 4.1.2. Un ataque de tipo XSS podr\u00eda presentarse por medio de una respuesta goto_location a un comando de barra diagonal"
}
],
"id": "CVE-2017-18881",
"lastModified": "2024-11-21T03:21:10.130",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T19:15:10.200",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-12-12 09:15
Modified
2024-11-21 08:33
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
Mattermost fails to handle a null request body in the /add endpoint, allowing a simple member to send a request with null request body to that endpoint and make it crash. After a few repetitions, the plugin is disabled.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6FA74D02-6508-49A3-960F-22B84B6E5B51",
"versionEndIncluding": "8.1.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D0882E48-E077-4E4E-9A76-ACDAEEFC6573",
"versionEndIncluding": "9.1.0",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost fails to handle a null request body in the /add endpoint, allowing a simple member to send a request with null request body to that endpoint and make it crash. After a few repetitions, the plugin is disabled.\u00a0\n\n"
},
{
"lang": "es",
"value": "Mattermost no logra manejar un cuerpo de solicitud nulo en el endpoint /add, lo que permite que un miembro simple env\u00ede una solicitud con un cuerpo de solicitud nulo a ese endpoint y haga que falle. Despu\u00e9s de algunas repeticiones, el complemento se desactiva."
}
],
"id": "CVE-2023-49809",
"lastModified": "2024-11-21T08:33:53.100",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-12T09:15:09.110",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-06-02 18:15
Modified
2024-11-21 06:41
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
Uncontrolled resource consumption in Mattermost version 6.6.0 and earlier allows an authenticated attacker to crash the server via a crafted SVG attachment on a post.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 6.5.0 | |
| mattermost | mattermost_server | 6.6.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "714383FD-1D54-4B36-A5FA-8D0A9E6B438C",
"versionEndExcluding": "6.3.8",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5E6413F4-61BF-47CE-9617-498867F29A99",
"versionEndExcluding": "6.4.3",
"versionStartIncluding": "6.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:6.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3293CAA5-331A-41F0-85F0-45F2D579FA8D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:6.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5144C178-AA3E-43CC-80E2-77BC8689FE7A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Uncontrolled resource consumption in Mattermost version 6.6.0 and earlier allows an authenticated attacker to crash the server via a crafted SVG attachment on a post."
},
{
"lang": "es",
"value": "Un consumo no controlado de recursos en Mattermost versiones 6.6.0 y anteriores, permite a un atacante autenticado bloquear el servidor por medio de un archivo adjunto SVG dise\u00f1ado en un mensaje"
}
],
"id": "CVE-2022-1982",
"lastModified": "2024-11-21T06:41:53.013",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-02T18:15:08.633",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-08-01 15:15
Modified
2024-09-04 17:34
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow users to set their own remote username, when shared channels were enabled, which allows a user on a remote to set their remote username prop to an arbitrary string, which would be then synced to the local server as long as the user hadn't been synced before.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 9.9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CBEB8F40-C2DE-4E6F-8772-1BBCA44795A8",
"versionEndExcluding": "9.5.7",
"versionStartIncluding": "9.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B5C9F963-57DF-41E2-AA46-242317D93786",
"versionEndExcluding": "9.7.6",
"versionStartIncluding": "9.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6B4559B7-83E7-41B2-96A8-51F467CCD882",
"versionEndExcluding": "9.8.2",
"versionStartIncluding": "9.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:9.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4BE71910-C7C4-4F33-BFD4-40D2EAA56DB1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 9.9.x \u003c= 9.9.0, 9.5.x \u003c= 9.5.6, 9.7.x \u003c= 9.7.5, 9.8.x \u003c= 9.8.1 fail to disallow\u00a0users to set their own remote username, when shared channels were enabled, which allows a user on a remote to set their remote username prop to an arbitrary string, which would be then synced to the local server as long as the user hadn\u0027t been synced before."
},
{
"lang": "es",
"value": " Las versiones de Mattermost 9.9.x \u0026lt;= 9.9.0, 9.5.x \u0026lt;= 9.5.6, 9.7.x \u0026lt;= 9.7.5, 9.8.x \u0026lt;= 9.8.1 no permiten que los usuarios establezcan su propio nombre de usuario remoto cuando se comparte. Se habilitaron canales, lo que permite a un usuario en un control remoto configurar su nombre de usuario remoto en una cadena arbitraria, que luego se sincronizar\u00eda con el servidor local siempre que el usuario no se hubiera sincronizado antes."
}
],
"id": "CVE-2024-39839",
"lastModified": "2024-09-04T17:34:06.817",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-08-01T15:15:12.993",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-07-17 16:15
Modified
2024-11-21 08:17
Severity ?
4.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Summary
Mattermost fails to invalidate previously generated password reset tokens when a new reset token was created.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3F71A811-27D2-4953-9C3A-4AC6B27AF1A8",
"versionEndExcluding": "7.8.7",
"versionStartIncluding": "7.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B0D66512-A095-4557-A9AD-B02E306FC1C9",
"versionEndExcluding": "7.9.5",
"versionStartIncluding": "7.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "401CC11A-1059-44A2-87BA-601024BD178E",
"versionEndExcluding": "7.10.3",
"versionStartIncluding": "7.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost fails to invalidate previously generated password reset tokens when a new reset token was created.\n\n"
}
],
"id": "CVE-2023-3591",
"lastModified": "2024-11-21T08:17:37.270",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 2.5,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-17T16:15:10.933",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 19:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. It allows XSS via an uploaded file.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B9810018-925D-4842-A38A-00743CDBFCC0",
"versionEndExcluding": "3.9.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "592EBE66-F1CC-46C6-BB06-D204C5C20544",
"versionEndExcluding": "3.10.2",
"versionStartIncluding": "3.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. It allows XSS via an uploaded file."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.0.0, 3.10.2 y 3.9.2. Permite un ataque de tipo XSS por medio de un archivo cargado"
}
],
"id": "CVE-2017-18904",
"lastModified": "2024-11-21T03:21:13.503",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T19:15:11.763",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 19:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. E-mail templates can have a field in which HTML content is not neutralized.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 4.2.0 | |
| mattermost | mattermost_server | 4.2.0 | |
| mattermost | mattermost_server | 4.2.0 | |
| mattermost | mattermost_server | 4.2.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8DABD3D9-ABA0-435A-826E-894B85BF330B",
"versionEndExcluding": "4.0.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C98DA462-E8C3-4011-995F-1D813670A5F7",
"versionEndExcluding": "4.1.1",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "DBCAAA7B-C893-48F1-B72C-06101B26EA48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7103DBD3-7169-4EF7-8354-122E98FBE442",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.2.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "C1F4BE86-1DEE-4730-8CC6-64A05A0C85EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.2.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "B725A0DC-8A41-4788-A705-2EE23EE13009",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. E-mail templates can have a field in which HTML content is not neutralized."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.2.0, 4.1.1 y 4.0.5. Las plantillas de correo electr\u00f3nico pueden tener un campo en el que el contenido HTML no es neutralizado"
}
],
"id": "CVE-2017-18892",
"lastModified": "2024-11-21T03:21:11.727",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T19:15:10.840",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-116"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-09 15:15
Modified
2024-11-21 08:59
Severity ?
3.4 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N
4.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
4.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
Summary
Mattermost Jira Plugin handling subscriptions fails to check the security level of an incoming issue or limit it based on the user who created the subscription resulting in registered users on Jira being able to create webhooks that give them access to all Jira issues.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8C15FCA4-0D78-4869-B363-E7BE70D01A40",
"versionEndIncluding": "8.1.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost Jira Plugin handling subscriptions fails to check the security level of an incoming issue or limit it based on the user who created the subscription resulting in\u00a0registered users on Jira being able to create webhooks that give them access to all Jira issues.\n\n"
},
{
"lang": "es",
"value": "El complemento Mattermost Jira que maneja las suscripciones no verifica el nivel de seguridad de un problema entrante ni lo limita seg\u00fan el usuario que cre\u00f3 la suscripci\u00f3n, lo que hace que los usuarios registrados en Jira puedan crear webhooks que les den acceso a todos los problemas de Jira."
}
],
"id": "CVE-2024-24774",
"lastModified": "2024-11-21T08:59:40.547",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-09T15:15:08.343",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-09 15:15
Modified
2024-11-21 08:59
Severity ?
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Mattermost fails to check the required permissions in the POST /api/v4/channels/stats/member_count API resulting in channel member counts being leaked to a user without permissions.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8C15FCA4-0D78-4869-B363-E7BE70D01A40",
"versionEndIncluding": "8.1.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost fails to check the required permissions in the\u00a0POST /api/v4/channels/stats/member_count API resulting in\u00a0channel member counts being leaked to a user without permissions.\n\n"
},
{
"lang": "es",
"value": "Mattermost no verifica los permisos requeridos en la API POST /api/v4/channels/stats/member_count, lo que provoca que los recuentos de miembros del canal se filtren a un usuario sin permisos."
}
],
"id": "CVE-2024-24776",
"lastModified": "2024-11-21T08:59:40.850",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-09T15:15:08.547",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-07-17 16:15
Modified
2024-11-21 08:17
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Mattermost fails to properly restrict requests to localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited blind SSRF.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3F71A811-27D2-4953-9C3A-4AC6B27AF1A8",
"versionEndExcluding": "7.8.7",
"versionStartIncluding": "7.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "401CC11A-1059-44A2-87BA-601024BD178E",
"versionEndExcluding": "7.10.3",
"versionStartIncluding": "7.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost fails to properly restrict requests to\u00a0localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited\u00a0blind SSRF.\n\n"
}
],
"id": "CVE-2023-3577",
"lastModified": "2024-11-21T08:17:35.310",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-17T16:15:10.330",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-08-22 16:15
Modified
2024-10-17 14:05
Severity ?
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
Summary
Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to properly enforce permissions which allows a team admin user without "Add Team Members" permission to disable the invite URL.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 9.10.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "32EE0958-90BA-4026-9C64-1823B86F341D",
"versionEndExcluding": "9.5.8",
"versionStartIncluding": "9.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:9.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B43DB6F9-1C15-45DB-A5E7-E46F4162436B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 9.5.x \u003c= 9.5.7, 9.10.x \u003c= 9.10.0 fail to properly enforce permissions which allows a team admin user without \"Add Team Members\" permission to disable the invite URL."
},
{
"lang": "es",
"value": "Las versiones 9.5.x \u0026lt;= 9.5.7, 9.10.x \u0026lt;= 9.10.0 de Mattermost no aplican correctamente los permisos, lo que permite a un usuario administrador del equipo sin el permiso \"Agregar miembros del equipo\" deshabilitar la URL de invitaci\u00f3n."
}
],
"id": "CVE-2024-40884",
"lastModified": "2024-10-17T14:05:16.247",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-08-22T16:15:08.797",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 18:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to cause a denial of service (channel invisibility) via a misformatted post.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72250CFB-47F9-40AE-BBD0-179D27CCF49D",
"versionEndExcluding": "4.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7FE7E6F1-5B34-4D19-8B93-ED2E9EFFCAF3",
"versionEndExcluding": "4.2.1",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FB71A82C-2F6A-49EC-A541-1600304F4D37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "91E5A299-021B-451B-95E2-4DC2DD6FF50B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "471DFF36-36F3-4904-B5E9-091C259181A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "A8772DEC-C002-443E-9609-1CC2A6FD8037",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to cause a denial of service (channel invisibility) via a misformatted post."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.3.0, 4.2.1 y 4.1.2. Permite a atacantes causar una denegaci\u00f3n de servicio (invisibilidad del canal) por medio de una publicaci\u00f3n formateada incorrectamente"
}
],
"id": "CVE-2017-18873",
"lastModified": "2024-11-21T03:21:08.930",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T18:15:10.600",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 16:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.12.0. Use of a Proxy HTTP header, rather than the source address in an IP packet header, for obtaining IP address information was mishandled.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DD5909C2-4468-451A-A1CC-945352FA55D5",
"versionEndExcluding": "5.12.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.12.0. Use of a Proxy HTTP header, rather than the source address in an IP packet header, for obtaining IP address information was mishandled."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.12.0. Un uso de un encabezado HTTP Proxy, en lugar de la direcci\u00f3n de origen en un encabezado de paquete IP, para obtener informaci\u00f3n de la direcci\u00f3n IP fue manejado inapropiadamente"
}
],
"id": "CVE-2019-20866",
"lastModified": "2024-11-21T04:39:34.113",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T16:15:10.267",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-444"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 20:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 3.6.2. The WebSocket feature does not follow the Same Origin Policy.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "31481AAF-DD23-4481-9E33-815D1FAB9946",
"versionEndExcluding": "3.6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.6.2. The WebSocket feature does not follow the Same Origin Policy."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 3.6.2. La funcionalidad WebSocket no sigue la Pol\u00edtica del Mismo Origen"
}
],
"id": "CVE-2017-18920",
"lastModified": "2024-11-21T03:21:15.787",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T20:15:12.710",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 14:15
Modified
2024-11-21 05:03
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.21.0. Socket read operations are not appropriately restricted, which allows attackers to cause a denial of service, aka MMSA-2020-0005.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6C579580-F670-4324-A756-D536B7DE1AA5",
"versionEndExcluding": "5.21.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.21.0. Socket read operations are not appropriately restricted, which allows attackers to cause a denial of service, aka MMSA-2020-0005."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.21.0. Unas operaciones de lectura de socket no est\u00e1n restringidas apropiadamente, lo que permite a atacantes causar una denegaci\u00f3n de servicio, tambi\u00e9n se conoce como MMSA-2020-0005"
}
],
"id": "CVE-2020-14453",
"lastModified": "2024-11-21T05:03:18.940",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T14:15:11.573",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-345"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 19:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by accessing unintended API endpoints on a user's behalf.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72250CFB-47F9-40AE-BBD0-179D27CCF49D",
"versionEndExcluding": "4.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7FE7E6F1-5B34-4D19-8B93-ED2E9EFFCAF3",
"versionEndExcluding": "4.2.1",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FB71A82C-2F6A-49EC-A541-1600304F4D37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "91E5A299-021B-451B-95E2-4DC2DD6FF50B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "471DFF36-36F3-4904-B5E9-091C259181A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "A8772DEC-C002-443E-9609-1CC2A6FD8037",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by accessing unintended API endpoints on a user\u0027s behalf."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.3.0, 4.2.1 y 4.1.2. Permite a atacantes obtener privilegios al acceder a endpoints de la API no deseados en nombre de un usuario"
}
],
"id": "CVE-2017-18885",
"lastModified": "2024-11-21T03:21:10.690",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T19:15:10.420",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 20:15
Modified
2024-11-21 02:45
Severity ?
Summary
An issue was discovered in Mattermost Server before 3.2.0. The initial_load API disclosed unnecessary personal information.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6DD41DB0-EC52-4C5C-9B80-05DD3E21B184",
"versionEndExcluding": "3.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.2.0. The initial_load API disclosed unnecessary personal information."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 3.2.0. La API initial_load revel\u00f3 informaci\u00f3n personal innecesaria"
}
],
"id": "CVE-2016-11066",
"lastModified": "2024-11-21T02:45:25.273",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T20:15:10.680",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 20:15
Modified
2024-11-21 02:45
Severity ?
Summary
An issue was discovered in Mattermost Server before 3.2.0. It mishandles brute-force attempts at password change.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6DD41DB0-EC52-4C5C-9B80-05DD3E21B184",
"versionEndExcluding": "3.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.2.0. It mishandles brute-force attempts at password change."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 3.2.0. Maneja inapropiadamente los intentos de fuerza bruta en el cambio de contrase\u00f1a"
}
],
"id": "CVE-2016-11069",
"lastModified": "2024-11-21T02:45:25.687",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T20:15:11.147",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-521"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-11-09 18:15
Modified
2024-11-14 16:47
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Mattermost versions 10.0.x <= 10.0.0 and 9.11.x <= 9.11.2 fail to properly query ElasticSearch when searching for the channel name in channel switcher which allows an attacker to get private channels names of channels that they are not a member of, when Elasticsearch v8 was enabled.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 10.0.0 | |
| mattermost | mattermost_server | 10.0.0 | |
| mattermost | mattermost_server | 10.0.0 | |
| mattermost | mattermost_server | 10.0.0 | |
| mattermost | mattermost_server | 10.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8E0D68CA-544B-4031-AEAA-D6DD19F0424D",
"versionEndExcluding": "9.11.3",
"versionStartIncluding": "9.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:10.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "D08969BB-2AE8-4583-8205-F39C44039955",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:10.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "07AF48D9-3CA9-4D3F-9F2E-975858205BA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:10.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "23737B5A-A878-46FA-9261-CF87246DF759",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:10.0.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "CF95680E-B893-42E4-A639-D9753E1C85E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:10.0.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "594BC592-4333-4BC4-8868-091001AB5E36",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 10.0.x \u003c= 10.0.0 and 9.11.x \u003c= 9.11.2 fail to properly query ElasticSearch when\u00a0searching for the channel name in channel switcher\u00a0which allows an attacker to get private channels names of channels that they are not a member of,\u00a0when Elasticsearch v8 was enabled."
},
{
"lang": "es",
"value": "Las versiones 10.0.x \u0026lt;= 10.0.0 y 9.11.x \u0026lt;= 9.11.2 de Mattermost no pueden consultar correctamente ElasticSearch cuando buscan el nombre del canal en el conmutador de canales, lo que permite que un atacante obtenga nombres de canales privados de canales de los que no es miembro, cuando Elasticsearch v8 estaba habilitado."
}
],
"id": "CVE-2024-52032",
"lastModified": "2024-11-14T16:47:21.583",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-11-09T18:15:15.203",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 20:15
Modified
2024-11-21 02:45
Severity ?
Summary
An issue was discovered in Mattermost Server before 3.5.1. XSS can occur via file preview.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FE632173-C23D-4B46-A7DB-D10EA968EDE0",
"versionEndExcluding": "3.5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.5.1. XSS can occur via file preview."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 3.5.1. Un ataque de tipo XSS puede presentarse por medio de la vista previa del archivo"
}
],
"id": "CVE-2016-11063",
"lastModified": "2024-11-21T02:45:24.867",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T20:15:10.493",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 20:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. API endpoint access control does not honor an integration permission restriction.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0FC88F96-4FC6-4A4D-952A-B130E581D48A",
"versionEndExcluding": "3.6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A164D156-BF18-421E-B54A-983E24E0F4A0",
"versionEndExcluding": "3.7.5",
"versionStartIncluding": "3.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "86BDAD96-71AA-4D79-B6E6-142D00B2C799",
"versionEndExcluding": "3.8.2",
"versionStartIncluding": "3.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. API endpoint access control does not honor an integration permission restriction."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 3.8.2, 3.7.5 y 3.6.7. El control de acceso de endpoint de la API no respeta una restricci\u00f3n de permiso de integraci\u00f3n"
}
],
"id": "CVE-2017-18916",
"lastModified": "2024-11-21T03:21:15.217",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T20:15:12.477",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 14:15
Modified
2024-11-21 05:03
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.22.0. The markdown renderer allows attackers to cause a denial of service (client-side), aka MMSA-2020-0017.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "785D734A-A606-419D-9DA6-CD8067A4D854",
"versionEndExcluding": "5.22.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.22.0. The markdown renderer allows attackers to cause a denial of service (client-side), aka MMSA-2020-0017."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.22.0. El renderizador markdown permite a atacantes causar una denegaci\u00f3n de servicio (del lado del cliente), tambi\u00e9n se conoce como MMSA-2020-0017"
}
],
"id": "CVE-2020-14450",
"lastModified": "2024-11-21T05:03:18.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T14:15:11.387",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-07-17 16:15
Modified
2024-11-21 08:17
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Summary
Mattermost Boards fail to properly validate a board link, allowing an attacker to crash a channel by posting a specially crafted boards link.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5CE365D7-09E6-424C-A8FE-B7BDCC76B749",
"versionEndExcluding": "7.8.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B0D66512-A095-4557-A9AD-B02E306FC1C9",
"versionEndExcluding": "7.9.5",
"versionStartIncluding": "7.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "401CC11A-1059-44A2-87BA-601024BD178E",
"versionEndExcluding": "7.10.3",
"versionStartIncluding": "7.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost Boards fail to properly validate a board link, allowing an attacker to crash a channel by\u00a0posting a specially crafted boards link.\n\n"
}
],
"id": "CVE-2023-3585",
"lastModified": "2024-11-21T08:17:36.357",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-17T16:15:10.633",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-07-17 16:15
Modified
2024-11-21 08:17
Severity ?
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Mattermost fails to delete card attachments in Boards, allowing an attacker to access deleted attachments.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "401CC11A-1059-44A2-87BA-601024BD178E",
"versionEndExcluding": "7.10.3",
"versionStartIncluding": "7.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost\u00a0fails to delete card attachments in Boards, allowing an attacker to access deleted attachments.\n\n"
}
],
"id": "CVE-2023-3590",
"lastModified": "2024-11-21T08:17:37.127",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-17T16:15:10.857",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 20:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth 2.0 service provider, Session invalidation was mishandled.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B9810018-925D-4842-A38A-00743CDBFCC0",
"versionEndExcluding": "3.9.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "592EBE66-F1CC-46C6-BB06-D204C5C20544",
"versionEndExcluding": "3.10.2",
"versionStartIncluding": "3.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth 2.0 service provider, Session invalidation was mishandled."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.0.0, 3.10.2 y 3.9.2, cuando se usaba como proveedor de servicios OAuth versi\u00f3n 2.0, una invalidaci\u00f3n de Sesi\u00f3n se manej\u00f3 inapropiadamente"
}
],
"id": "CVE-2017-18905",
"lastModified": "2024-11-21T03:21:13.643",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T20:15:12.087",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-613"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 19:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. It allows an attacker to specify a full pathname of a log file.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0FC88F96-4FC6-4A4D-952A-B130E581D48A",
"versionEndExcluding": "3.6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A164D156-BF18-421E-B54A-983E24E0F4A0",
"versionEndExcluding": "3.7.5",
"versionStartIncluding": "3.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "86BDAD96-71AA-4D79-B6E6-142D00B2C799",
"versionEndExcluding": "3.8.2",
"versionStartIncluding": "3.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. It allows an attacker to specify a full pathname of a log file."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 3.8.2, 3.7.5 y 3.6.7. Permite a un atacante especificar un nombre de ruta completo de un archivo de registro"
}
],
"id": "CVE-2017-18912",
"lastModified": "2024-11-21T03:21:14.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T19:15:11.997",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 16:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information during a role change.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 5.9.0 | |
| mattermost | mattermost_server | 5.9.0 | |
| mattermost | mattermost_server | 5.9.0 | |
| mattermost | mattermost_server | 5.9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "622E94AF-4BC7-42D4-B750-F72EECB98C8A",
"versionEndExcluding": "4.10.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "93D446DC-CA4C-4C09-80DA-525D91E2EA36",
"versionEndExcluding": "5.7.3",
"versionStartIncluding": "5.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "243BABD9-CBA3-49EB-9F09-C9F1B98BF11C",
"versionEndExcluding": "5.8.1",
"versionStartIncluding": "5.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B769FC2A-E54F-4C2C-A42B-3FC78B90F4EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "49479373-44B5-4CFF-9F92-44534F99CED6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "314EB74B-91A9-4D97-A97F-365E214BD105",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "FF4140FA-6A46-4307-B78D-1A0A6C73B0A5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information during a role change."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.9.0, 5.8.1, 5.7.3 y 4.10.8. Permite a atacantes obtener informaci\u00f3n confidencial durante un cambio de rol"
}
],
"id": "CVE-2019-20874",
"lastModified": "2024-11-21T04:39:35.307",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T16:15:10.827",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 17:15
Modified
2024-11-21 04:03
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.1. Non-members of a channel could use the Channel PATCH API to modify that channel.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E473B94D-A00F-4F9A-97D8-240019775FCC",
"versionEndExcluding": "5.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.1. Non-members of a channel could use the Channel PATCH API to modify that channel."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.1. Los no miembros de un canal podr\u00edan usar la API Channel PATCH para modificar ese canal"
}
],
"id": "CVE-2018-21255",
"lastModified": "2024-11-21T04:03:18.070",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T17:15:12.663",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-07-17 16:15
Modified
2024-11-21 08:17
Severity ?
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
Mattermost fails to properly check the authorization of POST /api/v4/teams when passing a team override scheme ID in the request, allowing an authenticated attacker with knowledge of a Team Override Scheme ID to create a new team with said team override scheme.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CDD98A01-CCD5-4E18-AFE4-64CC28B479C4",
"versionEndExcluding": "7.8.5",
"versionStartIncluding": "7.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "401CC11A-1059-44A2-87BA-601024BD178E",
"versionEndExcluding": "7.10.3",
"versionStartIncluding": "7.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost fails to properly check the authorization of\u00a0POST /api/v4/teams when passing a team override scheme ID in the request,\u00a0allowing an authenticated attacker with knowledge of a Team Override Scheme ID to create a new team with said team override scheme.\n\n"
}
],
"id": "CVE-2023-3584",
"lastModified": "2024-11-21T08:17:36.207",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-17T16:15:10.553",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-07-17 16:15
Modified
2024-11-21 08:17
Severity ?
6.2 (Medium) - CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Mattermost fails to properly validate the origin of a websocket connection allowing a MITM attacker on Mattermost to access the websocket APIs.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3F71A811-27D2-4953-9C3A-4AC6B27AF1A8",
"versionEndExcluding": "7.8.7",
"versionStartIncluding": "7.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B0D66512-A095-4557-A9AD-B02E306FC1C9",
"versionEndExcluding": "7.9.5",
"versionStartIncluding": "7.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "401CC11A-1059-44A2-87BA-601024BD178E",
"versionEndExcluding": "7.10.3",
"versionStartIncluding": "7.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost fails to properly validate the origin of a websocket connection allowing a MITM attacker on Mattermost to access the websocket APIs.\n\n"
}
],
"id": "CVE-2023-3581",
"lastModified": "2024-11-21T08:17:35.923",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.3,
"impactScore": 5.9,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-17T16:15:10.410",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-346"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-346"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 16:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.10.0, 5.9.1, 5.8.2, and 4.10.9. A non-member could change the Update/Patch Channel endpoint for a private channel.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 5.10.0 | |
| mattermost | mattermost_server | 5.10.0 | |
| mattermost | mattermost_server | 5.10.0 | |
| mattermost | mattermost_server | 5.10.0 | |
| mattermost | mattermost_server | 5.10.0 | |
| mattermost | mattermost_server | 5.10.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6DF1BD03-592B-4B18-8A4A-64F2083E54A2",
"versionEndExcluding": "4.10.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "93D446DC-CA4C-4C09-80DA-525D91E2EA36",
"versionEndExcluding": "5.7.3",
"versionStartIncluding": "5.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EC95FB62-B511-46E4-9DF5-AC8178729384",
"versionEndExcluding": "5.8.2",
"versionStartIncluding": "5.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D630E41C-C950-4B40-B5C0-AB0218EDC24F",
"versionEndExcluding": "5.9.1",
"versionStartIncluding": "5.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.10.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0C8A407B-DFFF-46CB-8F75-E586880D4F74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.10.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "24DBA486-EDAF-47BD-BD19-68D5D573BEBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.10.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "6CC1AE2C-DA70-4E89-BDE3-1CA3DB8702C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.10.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "FCC7E5B3-0EFF-4FFD-8C85-BCCC98AEEFE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.10.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "84CC8660-6431-4909-9688-19C468E60CB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.10.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "44BD6D9B-B890-45C8-81FD-9EBA9D4E195E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.10.0, 5.9.1, 5.8.2, and 4.10.9. A non-member could change the Update/Patch Channel endpoint for a private channel."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.10.0, 5.9.1, 5.8.2 y 4.10.9. Un no miembro podr\u00eda cambiar el endpoint Update/Patch Channel para un canal privado"
}
],
"id": "CVE-2019-20869",
"lastModified": "2024-11-21T04:39:34.573",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T16:15:10.483",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-09-26 08:15
Modified
2024-09-26 18:42
Severity ?
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
Mattermost versions 9.11.x <= 9.11.0 and 9.5.x <= 9.5.8 fail to validate that the message of the permalink post is a string, which allows an attacker to send a non-string value as the message of a permalink post and crash the frontend.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 9.11.0 | |
| mattermost | mattermost_server | 9.11.0 | |
| mattermost | mattermost_server | 9.11.0 | |
| mattermost | mattermost_server | 9.11.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BC97EDD1-AD9D-484B-99B0-D49541EFBA52",
"versionEndExcluding": "9.5.9",
"versionStartIncluding": "9.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:9.11.0:-:*:*:*:*:*:*",
"matchCriteriaId": "E7436086-F0AC-4AB8-B611-7B8E1AE2E4F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:9.11.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "D5310C1D-DA5F-46B5-BA33-F7C3D6A63C2F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:9.11.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "BCE22F86-00E2-42E0-8343-D3AD818AA943",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:9.11.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "641065E7-F36F-42F3-A098-B7131DB0D2F5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 9.11.x \u003c= 9.11.0 and 9.5.x \u003c= 9.5.8 fail to validate that the message of the permalink post is a string,\u00a0which allows an attacker to send a non-string value as the message of a permalink post and crash the frontend."
},
{
"lang": "es",
"value": "Las versiones 9.11.x \u0026lt;= 9.11.0 y 9.5.x \u0026lt;= 9.5.8 de Mattermost no logran validar que el mensaje de la publicaci\u00f3n de enlace permanente sea una cadena, lo que permite a un atacante enviar un valor que no sea una cadena como mensaje de una publicaci\u00f3n de enlace permanente y bloquear el frontend."
}
],
"id": "CVE-2024-47003",
"lastModified": "2024-09-26T18:42:29.383",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-09-26T08:15:06.227",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-04-05 09:15
Modified
2024-12-13 16:21
Severity ?
4.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
3.8 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
3.8 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
Summary
Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the `/api/v4/users/me/teams` endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users, even if the "Add Members" permission was explicitly removed from team admins.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "66FEDCF9-277A-4D60-8A28-948068A10F91",
"versionEndExcluding": "8.1.11",
"versionStartIncluding": "8.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B4A105B6-CFF8-4FF0-A70D-F3C390AE0FAD",
"versionEndExcluding": "9.3.3",
"versionStartIncluding": "9.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "600DCF59-6535-484C-9DDC-E33834B90B25",
"versionEndExcluding": "9.4.4",
"versionStartIncluding": "9.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7A768D77-9FF0-4C1B-81B0-AD2187832E62",
"versionEndExcluding": "9.5.2",
"versionStartIncluding": "9.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the `/api/v4/users/me/teams` endpoint\u00a0allowing\u00a0a team admin to get the invite ID of their team, thus allowing them to invite users, even if the \"Add Members\" permission was explicitly removed from team admins. \n\n"
},
{
"lang": "es",
"value": "Control de acceso inadecuado en las versiones de Mattermost Server 9.5.x anteriores a 9.5.2, 9.4.x anteriores a 9.4.4, 9.3.x anteriores a 9.3.3, 8.1.x anteriores a 8.1.11 carec\u00edan de control de acceso adecuado en el endpoint `/api/v4/users/me/teams` que permite a un administrador de equipo obtener el ID de invitaci\u00f3n de su equipo, lo que les permite invitar a usuarios, incluso si el permiso \"Agregar miembros\" se elimin\u00f3 expl\u00edcitamente de los administradores de equipo."
}
],
"id": "CVE-2024-29221",
"lastModified": "2024-12-13T16:21:08.447",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-04-05T09:15:09.680",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-10-09 11:15
Modified
2024-11-21 08:41
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
Mattermost fails to deduplicate input IDs allowing a simple user to cause the application to consume excessive resources and possibly crash by sending a specially crafted request to /api/v4/users/ids with multiple identical IDs.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "714E3E9F-A35A-456F-B198-C1CBD09169C6",
"versionEndExcluding": "7.8.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "135D194F-2285-4EB4-9963-5BCB97F6BC6B",
"versionEndExcluding": "8.0.3",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AC20942B-35AD-4EF5-8878-6E112865E3D5",
"versionEndExcluding": "8.1.2",
"versionStartIncluding": "8.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost fails to deduplicate input IDs allowing a\u00a0simple user to cause the application to consume excessive resources and possibly crash by sending a specially crafted request to /api/v4/users/ids with multiple identical IDs. \n\n"
},
{
"lang": "es",
"value": "Mattermost no logra desdoblar los ID de entrada, lo que permite que un simple usuario haga que la aplicaci\u00f3n consuma recursos excesivos y posiblemente falle al enviar una solicitud especialmente manipulada a /api/v4/users/ids con m\u00faltiples ID id\u00e9nticos."
}
],
"id": "CVE-2023-5333",
"lastModified": "2024-11-21T08:41:33.157",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-09T11:15:11.363",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 20:15
Modified
2024-11-21 02:45
Severity ?
Summary
An issue was discovered in Mattermost Server before 2.2.0. It allows XSS via a crafted link.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A9CF1900-D16F-4DD7-BA72-209E3B752C32",
"versionEndExcluding": "2.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 2.2.0. It allows XSS via a crafted link."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 2.2.0. Permite un ataque de tipo XSS por medio de un enlace dise\u00f1ado"
}
],
"id": "CVE-2016-11082",
"lastModified": "2024-11-21T02:45:27.517",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T20:15:11.930",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 20:15
Modified
2024-11-21 02:40
Severity ?
Summary
An issue was discovered in Mattermost Server before 1.2.0. It allows attackers to cause a denial of service (memory consumption) via a small compressed file that has a large size when uncompressed.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D412B045-8564-4981-8A8F-8E56EEB92786",
"versionEndExcluding": "1.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 1.2.0. It allows attackers to cause a denial of service (memory consumption) via a small compressed file that has a large size when uncompressed."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 1.2.0. Permite a atacantes causar una denegaci\u00f3n de servicio (consumo de la memoria) por medio de un peque\u00f1o archivo comprimido que tiene un gran tama\u00f1o cuando no est\u00e1 comprimido"
}
],
"id": "CVE-2015-9548",
"lastModified": "2024-11-21T02:40:54.160",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T20:15:10.367",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 14:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. An attacker can spoof a direct-message channel by changing the type of a channel.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 5.18.0 | |
| mattermost | mattermost_server | 5.18.0 | |
| mattermost | mattermost_server | 5.18.0 | |
| mattermost | mattermost_server | 5.18.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4A5BE0A1-194D-4E16-8547-2290F3BF777D",
"versionEndExcluding": "5.9.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "87675506-EA42-48F1-B12B-C137D58A31BC",
"versionEndExcluding": "5.15.4",
"versionStartIncluding": "5.15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "88A5E809-55F9-4B8C-8CC9-D2263632626E",
"versionEndExcluding": "5.16.4",
"versionStartIncluding": "5.16.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1861A510-327D-452B-A4FA-12204ECA2358",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.18.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "5966FFD8-6763-48E0-85A3-6624241F6FAB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.18.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "51C15C53-6CCF-4A49-AAF2-88AE72E2216F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.18.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "F46E3522-C7EB-4139-84F5-AFCED85D3C19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.18.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "7A353365-71E8-4382-9212-BD4495F5CF7E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. An attacker can spoof a direct-message channel by changing the type of a channel."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.18.0, 5.17.2, 5.16.4, 5.15.4 y 5.9.7. Un atacante puede suplantar un canal de mensaje directo al cambiar el tipo de canal"
}
],
"id": "CVE-2019-20844",
"lastModified": "2024-11-21T04:39:30.833",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T14:15:10.510",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-924"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 19:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It discloses the team creator's e-mail address to members.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72250CFB-47F9-40AE-BBD0-179D27CCF49D",
"versionEndExcluding": "4.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7FE7E6F1-5B34-4D19-8B93-ED2E9EFFCAF3",
"versionEndExcluding": "4.2.1",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FB71A82C-2F6A-49EC-A541-1600304F4D37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "91E5A299-021B-451B-95E2-4DC2DD6FF50B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "471DFF36-36F3-4904-B5E9-091C259181A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "A8772DEC-C002-443E-9609-1CC2A6FD8037",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It discloses the team creator\u0027s e-mail address to members."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.3.0, 4.2.1 y 4.1.2. Revela una direcci\u00f3n de correo electr\u00f3nico del creador del equipo a los miembros"
}
],
"id": "CVE-2017-18887",
"lastModified": "2024-11-21T03:21:10.977",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T19:15:10.530",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 19:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows Phishing because an error page can have a link.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 4.2.0 | |
| mattermost | mattermost_server | 4.2.0 | |
| mattermost | mattermost_server | 4.2.0 | |
| mattermost | mattermost_server | 4.2.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8DABD3D9-ABA0-435A-826E-894B85BF330B",
"versionEndExcluding": "4.0.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C98DA462-E8C3-4011-995F-1D813670A5F7",
"versionEndExcluding": "4.1.1",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "DBCAAA7B-C893-48F1-B72C-06101B26EA48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7103DBD3-7169-4EF7-8354-122E98FBE442",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.2.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "C1F4BE86-1DEE-4730-8CC6-64A05A0C85EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.2.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "B725A0DC-8A41-4788-A705-2EE23EE13009",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows Phishing because an error page can have a link."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.2.0, 4.1.1 y 4.0.5. Permite Phishing porque una p\u00e1gina de error puede tener un enlace"
}
],
"id": "CVE-2017-18891",
"lastModified": "2024-11-21T03:21:11.567",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T19:15:10.780",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 20:15
Modified
2024-11-21 02:45
Severity ?
Summary
An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a Legal or Support setting.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "146D9026-7214-4461-8584-AF9690AC3B2C",
"versionEndExcluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a Legal or Support setting."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 3.0.0. Permite un ataque de tipo XSS por medio de una configuraci\u00f3n Legal o Support"
}
],
"id": "CVE-2016-11073",
"lastModified": "2024-11-21T02:45:26.247",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T20:15:11.397",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 19:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. The X.509 certificate validation can be skipped for a TLS-based e-mail server.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0FC88F96-4FC6-4A4D-952A-B130E581D48A",
"versionEndExcluding": "3.6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A164D156-BF18-421E-B54A-983E24E0F4A0",
"versionEndExcluding": "3.7.5",
"versionStartIncluding": "3.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "86BDAD96-71AA-4D79-B6E6-142D00B2C799",
"versionEndExcluding": "3.8.2",
"versionStartIncluding": "3.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. The X.509 certificate validation can be skipped for a TLS-based e-mail server."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 3.8.2, 3.7.5 y 3.6.7. La comprobaci\u00f3n del certificado X.509 puede ser omitida para un servidor de correo electr\u00f3nico basado en TLS"
}
],
"id": "CVE-2017-18911",
"lastModified": "2024-11-21T03:21:14.520",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T19:15:11.937",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-295"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 20:15
Modified
2024-11-21 02:45
Severity ?
Summary
An issue was discovered in Mattermost Server before 3.0.0. A password-reset link could be reused.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "146D9026-7214-4461-8584-AF9690AC3B2C",
"versionEndExcluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.0.0. A password-reset link could be reused."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 3.0.0. Un enlace de restablecimiento de contrase\u00f1a podr\u00eda ser reutilizado"
}
],
"id": "CVE-2016-11074",
"lastModified": "2024-11-21T02:45:26.380",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T20:15:11.460",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 18:15
Modified
2024-11-21 04:03
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.1. It allows attackers to bypass intended access restrictions (for group-message channel creation) via the Group message slash command.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E473B94D-A00F-4F9A-97D8-240019775FCC",
"versionEndExcluding": "5.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.1. It allows attackers to bypass intended access restrictions (for group-message channel creation) via the Group message slash command."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.1. Permite a atacantes omitir las restricciones de acceso previstas (para la creaci\u00f3n del canal de mensajes grupales) por medio del comando Barra de mensajes grupales"
}
],
"id": "CVE-2018-21256",
"lastModified": "2024-11-21T04:03:18.207",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T18:15:10.740",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-03-31 12:15
Modified
2024-11-21 07:39
Severity ?
7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 7.7.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "68480D55-9BBC-46E3-8DE9-A2F13F2F8853",
"versionEndExcluding": "7.1.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:7.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BB8E1831-9267-467F-A646-84052F0A3FAE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file.\n\n\n"
}
],
"id": "CVE-2023-1776",
"lastModified": "2024-11-21T07:39:53.130",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.2,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-03-31T12:15:06.750",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 20:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 3.7.3 and 3.6.5. A System Administrator can place a SAML certificate at an arbitrary pathname.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "299E58B9-BB6D-45C0-91FC-545B784B0979",
"versionEndExcluding": "3.6.5",
"versionStartIncluding": "3.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8158E430-7C21-486E-9B67-053F258AB134",
"versionEndExcluding": "3.7.3",
"versionStartIncluding": "3.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.7.3 and 3.6.5. A System Administrator can place a SAML certificate at an arbitrary pathname."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 3.7.3 y 3.6.5. Un Administrador de Sistema puede colocar un certificado SAML en un nombre de ruta arbitraria"
}
],
"id": "CVE-2017-18918",
"lastModified": "2024-11-21T03:21:15.503",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T20:15:12.587",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-295"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-15 10:15
Modified
2024-12-13 16:39
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to correctly verify account ownership when switching from email to SAML authentication, allowing an authenticated attacker to take over other user accounts via a crafted switch request under specific conditions.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 9.5.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0ADAC025-32F2-4971-81F3-4D2939890060",
"versionEndExcluding": "8.1.10",
"versionStartIncluding": "8.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "71A20DFB-85FA-480C-956A-24B50AB1862D",
"versionEndExcluding": "9.2.6",
"versionStartIncluding": "9.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AA0D2B39-6A65-4B91-925D-20087EF4CCB9",
"versionEndExcluding": "9.3.2",
"versionStartIncluding": "9.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "74D75B50-ED53-47E4-A43A-1D3D8CFE4F8E",
"versionEndExcluding": "9.4.3",
"versionStartIncluding": "9.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:9.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B07517BC-19F5-4D44-BEB4-7D0CF9565707",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to correctly verify account ownership when switching from email to SAML authentication, allowing an authenticated attacker to take over other user accounts via a crafted switch request under specific conditions.\n\n"
},
{
"lang": "es",
"value": "Las versiones de Mattermost 8.1.x anteriores a 8.1.10, 9.2.x anteriores a 9.2.6, 9.3.x anteriores a 9.3.2 y 9.4.x anteriores a 9.4.3 no verifican correctamente la propiedad de la cuenta al cambiar del correo electr\u00f3nico a la autenticaci\u00f3n SAML. permitir que un atacante autenticado se apodere de otras cuentas de usuario mediante una solicitud de cambio dise\u00f1ada en condiciones espec\u00edficas."
}
],
"id": "CVE-2024-2450",
"lastModified": "2024-12-13T16:39:12.887",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-15T10:15:08.467",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 20:15
Modified
2024-11-21 02:45
Severity ?
Summary
An issue was discovered in Mattermost Server before 3.5.1. E-mail address verification can be bypassed.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FE632173-C23D-4B46-A7DB-D10EA968EDE0",
"versionEndExcluding": "3.5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.5.1. E-mail address verification can be bypassed."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 3.5.1. La verificaci\u00f3n de la direcci\u00f3n de correo electr\u00f3nico puede ser omitida"
}
],
"id": "CVE-2016-11062",
"lastModified": "2024-11-21T02:45:24.723",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T20:15:10.430",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-07-12 14:15
Modified
2024-11-21 07:00
Severity ?
5.6 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
Incorrect default configuration for trusted IP header in Mattermost version 6.7.0 and earlier allows attacker to bypass some of the rate limitations in place or use manipulated IPs for audit logging via manipulating the request headers.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 6.7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6D311744-6A53-4DD9-BE49-46E72BE1FB32",
"versionEndExcluding": "6.3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "06ABE3B1-53EA-42AB-B986-E5A660677075",
"versionEndExcluding": "6.5.2",
"versionStartIncluding": "6.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "73084053-CBD7-499B-9CDF-2DD26CA85FF6",
"versionEndExcluding": "6.6.2",
"versionStartIncluding": "6.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:6.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "13763CA7-57C3-4EBE-96D6-C244B5FE2704",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incorrect default configuration for trusted IP header in Mattermost version 6.7.0 and earlier allows attacker to bypass some of the rate limitations in place or use manipulated IPs for audit logging via manipulating the request headers."
},
{
"lang": "es",
"value": "Una configuraci\u00f3n incorrecta por defecto del encabezado IP confiable en Mattermost versiones 6.7.0 y anteriores, permite a atacantes omitir algunas de las limitaciones de velocidad presentes o usar IPs manipuladas para el registro de auditor\u00eda por medio de la manipulaci\u00f3n de los encabezados de petici\u00f3n"
}
],
"id": "CVE-2022-2366",
"lastModified": "2024-11-21T07:00:50.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-07-12T14:15:15.743",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 19:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. An attacker could create fictive system-message posts via webhooks and slash commands, in the v3 or v4 REST API.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72250CFB-47F9-40AE-BBD0-179D27CCF49D",
"versionEndExcluding": "4.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7FE7E6F1-5B34-4D19-8B93-ED2E9EFFCAF3",
"versionEndExcluding": "4.2.1",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FB71A82C-2F6A-49EC-A541-1600304F4D37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "91E5A299-021B-451B-95E2-4DC2DD6FF50B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "471DFF36-36F3-4904-B5E9-091C259181A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "A8772DEC-C002-443E-9609-1CC2A6FD8037",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. An attacker could create fictive system-message posts via webhooks and slash commands, in the v3 or v4 REST API."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.3.0, 4.2.1 y 4.1.2. Un atacante podr\u00eda crear publicaciones ficticias de mensajes del sistema por medio de webhooks y comandos de barra diagonal, en la API REST versiones v3 o v4"
}
],
"id": "CVE-2017-18889",
"lastModified": "2024-11-21T03:21:11.273",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T19:15:10.653",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-29 11:15
Modified
2024-12-13 17:09
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Summary
Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, 9.3.0, and 9.4.x before 9.4.2 fail to limit the number of role names requested from the API, allowing an authenticated attacker to cause the server to run out of memory and crash by issuing an unusually large HTTP request.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 9.3.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7D16EAB8-89FC-4745-8C40-CC83EE7A42EE",
"versionEndExcluding": "8.1.9",
"versionStartIncluding": "8.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FC8F8F89-A3B1-4B3C-9ECE-F3FA8C64B41C",
"versionEndExcluding": "9.2.5",
"versionStartIncluding": "9.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9B3CC387-1591-408A-A136-9B5B4C921223",
"versionEndExcluding": "9.4.2",
"versionStartIncluding": "9.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:9.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6D6543F2-AF31-4A52-AAEA-3E5D37C0BCA2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, 9.3.0, and 9.4.x before 9.4.2 fail to limit the number of role names requested from the API, allowing an authenticated attacker to cause the server to run out of memory and crash by issuing an unusually large HTTP request.\n\n"
},
{
"lang": "es",
"value": "Las versiones de Mattermost 8.1.x anteriores a 8.1.9, 9.2.x anteriores a 9.2.5, 9.3.0 y 9.4.x anteriores a 9.4.2 no limitan el n\u00famero de nombres de roles solicitados desde la API, lo que permite a un atacante autenticado provocar que el servidor se quede sin memoria y falle al emitir una solicitud HTTP inusualmente grande."
}
],
"id": "CVE-2024-1953",
"lastModified": "2024-12-13T17:09:21.973",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-29T11:15:08.413",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 18:15
Modified
2024-11-21 04:03
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.2, 5.1.1, 5.0.3, and 4.10.3. Attackers could use multiple e-mail addresses to bypass a domain-based policy for signups.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 5.2.0 | |
| mattermost | mattermost_server | 5.2.0 | |
| mattermost | mattermost_server | 5.2.0 | |
| mattermost | mattermost_server | 5.2.0 | |
| mattermost | mattermost_server | 5.2.0 | |
| mattermost | mattermost_server | 5.2.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BB47FDC1-2502-4123-B72B-E741AE360939",
"versionEndExcluding": "4.10.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E77175BB-85E2-4F4D-8BF1-6BD74224CCBD",
"versionEndExcluding": "5.0.3",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8EBEC3A7-1291-4C7E-BBA9-88ADB5EBE94D",
"versionEndExcluding": "5.1.1",
"versionStartIncluding": "5.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4278AE6D-09CF-4E82-B728-EDD1DFD6C4D0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "094E718B-6916-4473-A289-5CA8A1291969",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.2.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "6188A07E-A8A2-4573-9882-7FEF4316D688",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.2.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "3D223D23-FE0B-44A5-AEC3-F6935AFFBC0D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.2.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "F3807BAF-FEE4-4A35-8CDA-E3BE991BC117",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.2.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "5821F28D-E507-446F-98CF-9284A588E8CA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.2, 5.1.1, 5.0.3, and 4.10.3. Attackers could use multiple e-mail addresses to bypass a domain-based policy for signups."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.2, 5.1.1, 5.0.3 y 4.10.3. Los atacantes podr\u00edan usar m\u00faltiples direcciones de correo electr\u00f3nico para omitir una pol\u00edtica basada en el dominio para las suscripciones"
}
],
"id": "CVE-2018-21252",
"lastModified": "2024-11-21T04:03:17.657",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T18:15:10.677",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 17:15
Modified
2024-11-21 04:03
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.8.1, 4.7.4, and 4.6.3. An e-mail invite accidentally included the team invite_id, which leads to unintended excessive invitation privileges.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E6AB860A-094E-44FF-B3C5-81CECCE1EDA2",
"versionEndExcluding": "4.6.3",
"versionStartIncluding": "4.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1B71D35D-001D-4243-8ED4-61D7ADF5B36B",
"versionEndExcluding": "4.7.4",
"versionStartIncluding": "4.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "12A10C0B-FEE4-4B1B-8B5E-DA0846EC1FCC",
"versionEndExcluding": "4.8.1",
"versionStartIncluding": "4.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.8.1, 4.7.4, and 4.6.3. An e-mail invite accidentally included the team invite_id, which leads to unintended excessive invitation privileges."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.8.1, 4.7.4 y 4.6.3. Una invitaci\u00f3n por correo electr\u00f3nico inclu\u00eda accidentalmente el invite_id del equipo, lo que conlleva a privilegios excesivos no deseados"
}
],
"id": "CVE-2018-21261",
"lastModified": "2024-11-21T04:03:18.897",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T17:15:12.943",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 17:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows a password reset to proceed while an e-mail address is being changed.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 5.9.0 | |
| mattermost | mattermost_server | 5.9.0 | |
| mattermost | mattermost_server | 5.9.0 | |
| mattermost | mattermost_server | 5.9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "622E94AF-4BC7-42D4-B750-F72EECB98C8A",
"versionEndExcluding": "4.10.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "93D446DC-CA4C-4C09-80DA-525D91E2EA36",
"versionEndExcluding": "5.7.3",
"versionStartIncluding": "5.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "243BABD9-CBA3-49EB-9F09-C9F1B98BF11C",
"versionEndExcluding": "5.8.1",
"versionStartIncluding": "5.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B769FC2A-E54F-4C2C-A42B-3FC78B90F4EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "49479373-44B5-4CFF-9F92-44534F99CED6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "314EB74B-91A9-4D97-A97F-365E214BD105",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "FF4140FA-6A46-4307-B78D-1A0A6C73B0A5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows a password reset to proceed while an e-mail address is being changed."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.9.0, 5.8.1, 5.7.3 y 4.10.8. Permite un restablecimiento de la contrase\u00f1a mientras se cambia una direcci\u00f3n de correo electr\u00f3nico"
}
],
"id": "CVE-2019-20875",
"lastModified": "2024-11-21T04:39:35.457",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T17:15:13.193",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-02-27 15:15
Modified
2024-11-21 07:52
Severity ?
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Summary
Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the /api/v4/users/me/teams API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B5905FB2-E275-4956-B1A0-46346378A795",
"versionEndExcluding": "7.7.0",
"versionStartIncluding": "5.12.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the /api/v4/users/me/teams API endpoint, allowing an attacker with team admin privileges to learn the team owner\u0027s email address in the response.\n\n\n"
}
],
"id": "CVE-2023-27266",
"lastModified": "2024-11-21T07:52:33.790",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-02-27T15:15:12.067",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 16:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.11.0. An attacker can interfere with a channel's post loading via one crafted post.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0CE05BA1-5C96-4172-8DA6-CB0FA61F9A80",
"versionEndExcluding": "5.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.11.0. An attacker can interfere with a channel\u0027s post loading via one crafted post."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.11.0. Un atacante puede interferir con la carga de publicaciones de un canal por medio de una publicaci\u00f3n dise\u00f1ada"
}
],
"id": "CVE-2019-20867",
"lastModified": "2024-11-21T04:39:34.267",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T16:15:10.327",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 20:15
Modified
2024-11-21 02:45
Severity ?
Summary
An issue was discovered in Mattermost Server before 3.1.0. It allows XSS because the noreferrer and noopener protection mechanisms were not in place.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F13C7A3C-89E4-48CD-8990-EA7B19217A86",
"versionEndExcluding": "3.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.1.0. It allows XSS because the noreferrer and noopener protection mechanisms were not in place."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 3.1.0. Permite un ataque de tipo XSS porque los mecanismos de protecci\u00f3n noreferrer y noopener no estaban en su lugar"
}
],
"id": "CVE-2016-11071",
"lastModified": "2024-11-21T02:45:25.953",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T20:15:11.273",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 20:15
Modified
2024-11-21 02:45
Severity ?
Summary
An issue was discovered in Mattermost Server before 2.2.0. It allows XSS because it configures files to be opened in a browser window.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A9CF1900-D16F-4DD7-BA72-209E3B752C32",
"versionEndExcluding": "2.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 2.2.0. It allows XSS because it configures files to be opened in a browser window."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 2.2.0. Permite un ataque de tipo XSS porque configura archivos para que sean abiertos en una ventana del navegador"
}
],
"id": "CVE-2016-11083",
"lastModified": "2024-11-21T02:45:27.663",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T20:15:11.977",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 17:15
Modified
2024-11-21 04:03
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.4.0. It mishandles possession of superfluous authentication credentials.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "41385E2E-1E21-4042-9EAF-997BE7C717FD",
"versionEndExcluding": "5.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.4.0. It mishandles possession of superfluous authentication credentials."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.4.0. Maneja inapropiadamente una posesi\u00f3n de credenciales de autenticaci\u00f3n superfluas"
}
],
"id": "CVE-2018-21248",
"lastModified": "2024-11-21T04:03:17.093",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T17:15:12.333",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-522"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 14:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.18.0. It has weak permissions for server-local file storage.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F20CF404-701D-4000-8CE9-5D03D41EB0F3",
"versionEndExcluding": "5.18.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.18.0. It has weak permissions for server-local file storage."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.18.0. Presenta permisos d\u00e9biles para el almacenamiento de archivos locales del servidor"
}
],
"id": "CVE-2019-20846",
"lastModified": "2024-11-21T04:39:31.127",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T14:15:10.650",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-281"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-04-05 09:15
Modified
2024-12-13 16:36
Severity ?
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Improper Access Control in Mattermost Server versions 8.1.x before 8.1.11 allows an attacker that is in a channel with an active call to keep participating in the call even if they are removed from the channel
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "66FEDCF9-277A-4D60-8A28-948068A10F91",
"versionEndExcluding": "8.1.11",
"versionStartIncluding": "8.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Access Control in Mattermost Server versions 8.1.x before 8.1.11 allows an attacker that is in a channel with an active call to keep participating in the call even if they are removed from the channel\n\n"
},
{
"lang": "es",
"value": "El control de acceso inadecuado en las versiones 8.1.x anteriores a 8.1.11 de Mattermost Server permite que un atacante que se encuentra en un canal con una llamada activa siga participando en la llamada incluso si se elimina del canal."
}
],
"id": "CVE-2024-21848",
"lastModified": "2024-12-13T16:36:59.837",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-04-05T09:15:09.017",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-273"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-19 21:15
Modified
2024-11-21 06:40
Severity ?
3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
4.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
4.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Summary
Mattermost 6.4.x and earlier fails to properly invalidate pending email invitations when the action is performed from the system console, which allows accidentally invited users to join the workspace and access information from the public teams and channels.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://hackerone.com/reports/1486820 | Exploit, Third Party Advisory | |
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hackerone.com/reports/1486820 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F4F225C4-48B7-456B-ABD4-1FD2ADD47668",
"versionEndExcluding": "6.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost 6.4.x and earlier fails to properly invalidate pending email invitations when the action is performed from the system console, which allows accidentally invited users to join the workspace and access information from the public teams and channels."
},
{
"lang": "es",
"value": "Mattermost versiones 6.4.x y anteriores no invalidan apropiadamente las invitaciones por correo electr\u00f3nico pendientes cuando la acci\u00f3n es llevada a cabo desde la consola del sistema, lo que permite a usuarios invitados accidentalmente unirse al espacio de trabajo y acceder a la informaci\u00f3n de los equipos y canales p\u00fablicos"
}
],
"id": "CVE-2022-1385",
"lastModified": "2024-11-21T06:40:37.390",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 2.5,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-19T21:15:14.103",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/1486820"
},
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/1486820"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-664"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-668"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 19:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It mishandles IP-based rate limiting.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 4.2.0 | |
| mattermost | mattermost_server | 4.2.0 | |
| mattermost | mattermost_server | 4.2.0 | |
| mattermost | mattermost_server | 4.2.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8DABD3D9-ABA0-435A-826E-894B85BF330B",
"versionEndExcluding": "4.0.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C98DA462-E8C3-4011-995F-1D813670A5F7",
"versionEndExcluding": "4.1.1",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "DBCAAA7B-C893-48F1-B72C-06101B26EA48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7103DBD3-7169-4EF7-8354-122E98FBE442",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.2.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "C1F4BE86-1DEE-4730-8CC6-64A05A0C85EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.2.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "B725A0DC-8A41-4788-A705-2EE23EE13009",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It mishandles IP-based rate limiting."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.2.0, 4.1.1 y 4.0.5. Maneja inapropiadamente la limitaci\u00f3n de velocidad basada en IP"
}
],
"id": "CVE-2017-18899",
"lastModified": "2024-11-21T03:21:12.793",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T19:15:11.437",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 17:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.7.1, 5.6.4, 5.5.3, and 4.10.6. It does not honor flags API permissions when deciding whether a user can receive intra-team posts.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "02865198-E242-4223-9C76-3B6F9DE37155",
"versionEndExcluding": "4.10.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2CAA2D97-A60F-4616-9756-2DDD6475C696",
"versionEndExcluding": "5.5.3",
"versionStartIncluding": "5.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CEA8BF8F-65C7-4F04-8498-B61FC671C35E",
"versionEndExcluding": "5.6.4",
"versionStartIncluding": "5.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0FDA3FCA-48B3-47BE-BE49-954D17C0E79A",
"versionEndExcluding": "5.7.1",
"versionStartIncluding": "5.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.7.1, 5.6.4, 5.5.3, and 4.10.6. It does not honor flags API permissions when deciding whether a user can receive intra-team posts."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.7.1, 5.6.4, 5.5.3 y 4.10.6. No respeta los permisos de la API de indicaciones (flags) cuando deciden si un usuario puede recibir publicaciones dentro del equipo"
}
],
"id": "CVE-2019-20887",
"lastModified": "2024-11-21T04:39:37.227",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T17:15:13.897",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-02-27 15:15
Modified
2024-11-21 07:52
Severity ?
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Summary
Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the "Regenerate Invite Id" API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B5905FB2-E275-4956-B1A0-46346378A795",
"versionEndExcluding": "7.7.0",
"versionStartIncluding": "5.12.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the \"Regenerate Invite Id\" API endpoint, allowing an attacker with team admin privileges to learn the team owner\u0027s email address in the response.\n\n\n"
}
],
"id": "CVE-2023-27265",
"lastModified": "2024-11-21T07:52:33.653",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-02-27T15:15:11.997",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-668"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 15:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.14.0, 5.13.3, 5.12.6, and 5.9.4. It allows remote attackers to cause a denial of service (application hang) via a crafted SVG document.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 5.14.0 | |
| mattermost | mattermost_server | 5.14.0 | |
| mattermost | mattermost_server | 5.14.0 | |
| mattermost | mattermost_server | 5.14.0 | |
| mattermost | mattermost_server | 5.14.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BD9436D8-67F5-42F3-9615-881773EA3EA9",
"versionEndExcluding": "5.9.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "668E3871-50E8-46CB-86DB-AC892AEF14CB",
"versionEndExcluding": "5.12.6",
"versionStartIncluding": "5.12.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "18E46D23-33A1-4AA6-ACF0-853CD7206694",
"versionEndExcluding": "5.13.3",
"versionStartIncluding": "5.13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.14.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "6DE42576-B684-4E37-BC60-7F4AE2EA3C07",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.14.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "047062E1-8EE1-4183-8DE2-E92941F08E9F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.14.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5766A130-8F8A-43D0-83E9-712D78129E1D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.14.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "510615E0-5470-439C-B76B-7A2E8B40C65B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.14.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "DDF21518-3611-4000-883A-CC8412473D00",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.14.0, 5.13.3, 5.12.6, and 5.9.4. It allows remote attackers to cause a denial of service (application hang) via a crafted SVG document."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.14.0, 5.13.3, 5.12.6 y 5.9.4. Permite a atacantes remotos causar una denegaci\u00f3n de servicio (bloqueo de la aplicaci\u00f3n) por medio de un documento SVG dise\u00f1ado"
}
],
"id": "CVE-2019-20860",
"lastModified": "2024-11-21T04:39:33.220",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T15:15:10.743",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 15:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.16.0. It allows attackers to cause a denial of service (markdown renderer hang) via many backtick characters.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1AB597A8-86FA-4573-A4BB-CDD4FBE3E048",
"versionEndExcluding": "5.16.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.16.0. It allows attackers to cause a denial of service (markdown renderer hang) via many backtick characters."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.16.0. Permite a atacantes causar una denegaci\u00f3n de servicio (suspensi\u00f3n del renderizador markdown) por medio de muchos caracteres backtick"
}
],
"id": "CVE-2019-20857",
"lastModified": "2024-11-21T04:39:32.780",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T15:15:10.570",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 15:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.13.0. Non-members may fetch a team's slash commands.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3FCC29C7-66D2-4868-BED3-4AFDC30DAEA8",
"versionEndExcluding": "5.13.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.13.0. Non-members may fetch a team\u0027s slash commands."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.13.0. No miembros pueden extraer comandos de barra diagonal de un equipo"
}
],
"id": "CVE-2019-20862",
"lastModified": "2024-11-21T04:39:33.507",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T15:15:10.853",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 20:15
Modified
2024-11-21 02:45
Severity ?
Summary
An issue was discovered in Mattermost Server before 3.0.2. The purposes of a session ID and a Session Token were mishandled.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AAF54A34-11E1-4B30-850A-D2D5FB98BBAE",
"versionEndExcluding": "3.0.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.0.2. The purposes of a session ID and a Session Token were mishandled."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 3.0.2. Los prop\u00f3sitos de un ID de sesi\u00f3n y un Token de Sesi\u00f3n fueron manejados inapropiadamente"
}
],
"id": "CVE-2016-11072",
"lastModified": "2024-11-21T02:45:26.100",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T20:15:11.337",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-03-31 12:15
Modified
2024-11-21 07:39
Severity ?
4.2 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Summary
When processing an email invite to a private channel on a team, Mattermost fails to validate the inviter's permission to that channel, allowing an attacker to invite themselves to a private channel.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 7.7.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "68480D55-9BBC-46E3-8DE9-A2F13F2F8853",
"versionEndExcluding": "7.1.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:7.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BB8E1831-9267-467F-A646-84052F0A3FAE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "When processing an email invite to a private channel on a team, Mattermost fails to validate the inviter\u0027s permission to that channel, allowing an attacker to invite themselves to a private channel.\n\n\n"
}
],
"id": "CVE-2023-1774",
"lastModified": "2024-11-21T07:39:52.903",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 2.5,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-03-31T12:15:06.650",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 17:15
Modified
2024-11-21 04:03
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.7.3. It allows attackers to cause a denial of service (application crash) via invalid LaTeX text.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "95CB4883-2A2C-44D2-BC3F-599F757EA5D4",
"versionEndExcluding": "4.7.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.7.3. It allows attackers to cause a denial of service (application crash) via invalid LaTeX text."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.7.3. Permite a atacantes causar una denegaci\u00f3n de servicio (bloqueo de la aplicaci\u00f3n) por medio de un texto LaTeX no v\u00e1lido"
}
],
"id": "CVE-2018-21262",
"lastModified": "2024-11-21T04:03:19.030",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T17:15:13.007",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 19:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D17BC777-43D7-4B7B-B969-23B85BC94AF9",
"versionEndExcluding": "3.10.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "88AA2DE4-716D-43AD-BD34-DFA48FCBE22E",
"versionEndExcluding": "4.0.4",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.1.0, 4.0.4 y 3.10.3. Permite a atacantes detectar los ID de invitaci\u00f3n de equipo por medio de los endpoints de la API de equipo"
}
],
"id": "CVE-2017-18902",
"lastModified": "2024-11-21T03:21:13.227",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T19:15:11.653",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 17:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information about whether someone has 2FA enabled.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 5.9.0 | |
| mattermost | mattermost_server | 5.9.0 | |
| mattermost | mattermost_server | 5.9.0 | |
| mattermost | mattermost_server | 5.9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "622E94AF-4BC7-42D4-B750-F72EECB98C8A",
"versionEndExcluding": "4.10.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "93D446DC-CA4C-4C09-80DA-525D91E2EA36",
"versionEndExcluding": "5.7.3",
"versionStartIncluding": "5.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "243BABD9-CBA3-49EB-9F09-C9F1B98BF11C",
"versionEndExcluding": "5.8.1",
"versionStartIncluding": "5.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B769FC2A-E54F-4C2C-A42B-3FC78B90F4EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "49479373-44B5-4CFF-9F92-44534F99CED6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "314EB74B-91A9-4D97-A97F-365E214BD105",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "FF4140FA-6A46-4307-B78D-1A0A6C73B0A5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information about whether someone has 2FA enabled."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.9.0, 5.8.1, 5.7.3 y 4.10.8. Permite a atacantes obtener informaci\u00f3n confidencial sobre si alguien presenta 2FA habilitado"
}
],
"id": "CVE-2019-20877",
"lastModified": "2024-11-21T04:39:35.790",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T17:15:13.317",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 19:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. Knowledge of a session ID allows revoking another user's session.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72250CFB-47F9-40AE-BBD0-179D27CCF49D",
"versionEndExcluding": "4.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7FE7E6F1-5B34-4D19-8B93-ED2E9EFFCAF3",
"versionEndExcluding": "4.2.1",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FB71A82C-2F6A-49EC-A541-1600304F4D37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "91E5A299-021B-451B-95E2-4DC2DD6FF50B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "471DFF36-36F3-4904-B5E9-091C259181A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "A8772DEC-C002-443E-9609-1CC2A6FD8037",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. Knowledge of a session ID allows revoking another user\u0027s session."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.3.0, 4.2.1 y 4.1.2. El conocimiento de un ID de sesi\u00f3n permite revocar la sesi\u00f3n de otro usuario"
}
],
"id": "CVE-2017-18878",
"lastModified": "2024-11-21T03:21:09.713",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T19:15:10.013",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 18:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.4.3 and 4.3.3. Attackers could reconfigure an OAuth app in some cases where Mattermost is an OAuth 2.0 service provider.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1F608126-B2A9-42F2-A906-1DD6A3935067",
"versionEndExcluding": "4.3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2864E807-573D-49D1-830F-D1CE15D54ECF",
"versionEndExcluding": "4.4.3",
"versionStartIncluding": "4.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.4.3 and 4.3.3. Attackers could reconfigure an OAuth app in some cases where Mattermost is an OAuth 2.0 service provider."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.4.3 y 4.3.3. Los atacantes podr\u00edan reconfigurar una aplicaci\u00f3n OAuth en algunos casos donde Mattermost es un proveedor de servicios de OAuth versi\u00f3n 2.0"
}
],
"id": "CVE-2017-18872",
"lastModified": "2024-11-21T03:21:08.777",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T18:15:10.537",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 17:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. Changes, within the application, to e-mail addresses are mishandled.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 5.9.0 | |
| mattermost | mattermost_server | 5.9.0 | |
| mattermost | mattermost_server | 5.9.0 | |
| mattermost | mattermost_server | 5.9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "622E94AF-4BC7-42D4-B750-F72EECB98C8A",
"versionEndExcluding": "4.10.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "93D446DC-CA4C-4C09-80DA-525D91E2EA36",
"versionEndExcluding": "5.7.3",
"versionStartIncluding": "5.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "243BABD9-CBA3-49EB-9F09-C9F1B98BF11C",
"versionEndExcluding": "5.8.1",
"versionStartIncluding": "5.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B769FC2A-E54F-4C2C-A42B-3FC78B90F4EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "49479373-44B5-4CFF-9F92-44534F99CED6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "314EB74B-91A9-4D97-A97F-365E214BD105",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "FF4140FA-6A46-4307-B78D-1A0A6C73B0A5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. Changes, within the application, to e-mail addresses are mishandled."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.9.0, 5.8.1, 5.7.3 y 4.10.8. Cambios, dentro de la aplicaci\u00f3n, en unas direcciones de correo electr\u00f3nico son manejados inapropiadamente"
}
],
"id": "CVE-2019-20878",
"lastModified": "2024-11-21T04:39:35.943",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T17:15:13.367",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 15:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.15.0. It allows attackers to cause a denial of service (CPU consumption) via crafted characters in a SQL LIKE clause to an APIv4 endpoint.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "60D068FF-0FC6-4D7B-B6BF-586D54A365A7",
"versionEndExcluding": "5.15.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.15.0. It allows attackers to cause a denial of service (CPU consumption) via crafted characters in a SQL LIKE clause to an APIv4 endpoint."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.15.0. Permite a atacantes causar una denegaci\u00f3n de servicio (consumo de CPU) por medio de caracteres dise\u00f1ados en una cl\u00e1usula LIKE SQL para un endpoint APIv4"
}
],
"id": "CVE-2019-20858",
"lastModified": "2024-11-21T04:39:32.923",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T15:15:10.633",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-11-09 18:15
Modified
2024-11-14 16:48
Severity ?
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 and 10.0.x <= 10.0.0 fail to properly authorize the requests to /api/v4/channels which allows a User or System Manager, with "Read Groups" permission but with no access for channels to retrieve details about private channels that they were not a member of by sending a request to /api/v4/channels.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 10.0.0 | |
| mattermost | mattermost_server | 10.0.0 | |
| mattermost | mattermost_server | 10.0.0 | |
| mattermost | mattermost_server | 10.0.0 | |
| mattermost | mattermost_server | 10.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E022FB98-95D6-4F82-9A9F-0C320633E64D",
"versionEndExcluding": "9.5.10",
"versionStartIncluding": "9.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6E2037E9-B6B2-4764-A5C9-5006DCF34E94",
"versionEndExcluding": "9.10.3",
"versionStartIncluding": "9.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5F0D9909-E2B9-41B3-93F7-6C666434FE7B",
"versionEndExcluding": "9.11.2",
"versionStartIncluding": "9.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:10.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "D08969BB-2AE8-4583-8205-F39C44039955",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:10.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "07AF48D9-3CA9-4D3F-9F2E-975858205BA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:10.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "23737B5A-A878-46FA-9261-CF87246DF759",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:10.0.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "CF95680E-B893-42E4-A639-D9753E1C85E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:10.0.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "594BC592-4333-4BC4-8868-091001AB5E36",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 9.10.x \u003c= 9.10.2, 9.11.x \u003c= 9.11.1, 9.5.x \u003c= 9.5.9 and 10.0.x \u003c= 10.0.0 fail to properly authorize the requests to\u00a0/api/v4/channels \u00a0which allows\u00a0a User or System Manager, with \"Read Groups\" permission but with no access for channels to retrieve details about private channels that they were not a member of by sending a request to\u00a0/api/v4/channels."
},
{
"lang": "es",
"value": "Las versiones de Mattermost 9.10.x \u0026lt;= 9.10.2, 9.11.x \u0026lt;= 9.11.1, 9.5.x \u0026lt;= 9.5.9 y 10.0.x \u0026lt;= 10.0.0 no autorizan correctamente las solicitudes a /api/v4/channels, lo que permite que un usuario o administrador del sistema, con permiso de \"Leer grupos\" pero sin acceso a canales, recupere detalles sobre canales privados de los que no era miembro enviando una solicitud a /api/v4/channels."
}
],
"id": "CVE-2024-42000",
"lastModified": "2024-11-14T16:48:30.013",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-11-09T18:15:14.993",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 17:15
Modified
2024-11-21 04:03
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.1. An attacker can bypass intended access control (for direct-message channel creation) via the Message slash command.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E473B94D-A00F-4F9A-97D8-240019775FCC",
"versionEndExcluding": "5.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.1. An attacker can bypass intended access control (for direct-message channel creation) via the Message slash command."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.1. Un atacante puede omitir el control de acceso previsto (para la creaci\u00f3n de un canal de mensajes directos) por medio del comando barra diagonal Message"
}
],
"id": "CVE-2018-21254",
"lastModified": "2024-11-21T04:03:17.930",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T17:15:12.617",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 20:15
Modified
2024-11-21 02:45
Severity ?
Summary
An issue was discovered in Mattermost Server before 3.0.0. It offers superfluous APIs for a Team Administrator to view account details.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "146D9026-7214-4461-8584-AF9690AC3B2C",
"versionEndExcluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.0.0. It offers superfluous APIs for a Team Administrator to view account details."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 3.0.0. Ofrece unas API superfluas para que un administrador del equipo visualice los detalles de la cuenta"
}
],
"id": "CVE-2016-11080",
"lastModified": "2024-11-21T02:45:27.217",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T20:15:11.807",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-05-12 09:15
Modified
2024-11-21 07:58
Severity ?
4.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6DF5031B-328F-437D-8B96-BDED19E417FA",
"versionEndExcluding": "7.1.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1FA172F4-5BE3-45B2-BB2C-B05F2446923F",
"versionEndExcluding": "7.7.4",
"versionStartIncluding": "7.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "53D5D9CC-6065-43C9-A17C-9DBB30447F3D",
"versionEndExcluding": "7.8.3",
"versionStartIncluding": "7.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FBCD0E6A-14E1-41E9-A215-822115B4622E",
"versionEndExcluding": "7.9.2",
"versionStartIncluding": "7.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin\n"
}
],
"id": "CVE-2023-2515",
"lastModified": "2024-11-21T07:58:45.357",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-12T09:15:10.373",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-12-06 09:15
Modified
2024-11-21 08:43
Severity ?
7.1 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perform a client-side path traversal.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6DC0F1AE-87E5-483B-BD2A-945BE99CD487",
"versionEndExcluding": "7.8.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "82659141-9C39-492A-9DF2-B2E293E151BE",
"versionEndExcluding": "8.1.5",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "050ACB86-28ED-4BEB-832C-3BA6FCC15D22",
"versionEndExcluding": "9.0.3",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "031CA1A1-C6B0-4096-830D-150CDC3BA8F3",
"versionEndExcluding": "9.1.2",
"versionStartIncluding": "9.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost webapp fails to validate\u00a0route parameters in/\u003cTEAM_NAME\u003e/channels/\u003cCHANNEL_NAME\u003e\u00a0allowing an attacker to perform a client-side path traversal.\n\n"
},
{
"lang": "es",
"value": "La aplicaci\u00f3n web Mattermost no puede validar los par\u00e1metros de ruta en//channels/, lo que permite a un atacante realizar un path traversal del lado del cliente."
}
],
"id": "CVE-2023-6458",
"lastModified": "2024-11-21T08:43:53.947",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 5.3,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-06T09:15:08.907",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
},
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-15 09:15
Modified
2024-12-13 17:04
Severity ?
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit the size of the payload that can be read and parsed allowing an attacker to send a very large email payload and crash the server.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0ADAC025-32F2-4971-81F3-4D2939890060",
"versionEndExcluding": "8.1.10",
"versionStartIncluding": "8.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit\u00a0the size of the payload that can be read and parsed allowing an attacker to send a\u00a0very large email payload and crash the server.\n\n"
},
{
"lang": "es",
"value": "El agotamiento de recursos en las versiones 8.1.x anteriores a 8.1.10 de Mattermost Server no limita el tama\u00f1o del payload que se puede leer y analizar, lo que permite a un atacante enviar un payload de correo electr\u00f3nico muy grande y bloquear el servidor."
}
],
"id": "CVE-2024-28053",
"lastModified": "2024-12-13T17:04:25.663",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-15T09:15:07.293",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 14:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. There is SQL injection by admins via SearchAllChannels.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 5.18.0 | |
| mattermost | mattermost_server | 5.18.0 | |
| mattermost | mattermost_server | 5.18.0 | |
| mattermost | mattermost_server | 5.18.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4A5BE0A1-194D-4E16-8547-2290F3BF777D",
"versionEndExcluding": "5.9.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "87675506-EA42-48F1-B12B-C137D58A31BC",
"versionEndExcluding": "5.15.4",
"versionStartIncluding": "5.15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "88A5E809-55F9-4B8C-8CC9-D2263632626E",
"versionEndExcluding": "5.16.4",
"versionStartIncluding": "5.16.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1861A510-327D-452B-A4FA-12204ECA2358",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.18.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "5966FFD8-6763-48E0-85A3-6624241F6FAB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.18.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "51C15C53-6CCF-4A49-AAF2-88AE72E2216F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.18.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "F46E3522-C7EB-4139-84F5-AFCED85D3C19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.18.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "7A353365-71E8-4382-9212-BD4495F5CF7E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. There is SQL injection by admins via SearchAllChannels."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.18.0, 5.17.2, 5.16.4, 5.15.4 y 5.9.7. Se presenta una inyecci\u00f3n SQL por parte de los administradores mediante SearchAllChannels"
}
],
"id": "CVE-2019-20842",
"lastModified": "2024-11-21T04:39:30.537",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T14:15:10.370",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 17:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can test for the existence of an arbitrary file.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72250CFB-47F9-40AE-BBD0-179D27CCF49D",
"versionEndExcluding": "4.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7FE7E6F1-5B34-4D19-8B93-ED2E9EFFCAF3",
"versionEndExcluding": "4.2.1",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FB71A82C-2F6A-49EC-A541-1600304F4D37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "91E5A299-021B-451B-95E2-4DC2DD6FF50B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "471DFF36-36F3-4904-B5E9-091C259181A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "A8772DEC-C002-443E-9609-1CC2A6FD8037",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can test for the existence of an arbitrary file."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.3.0, 4.2.1 y 4.1.2, cuando el almacenamiento local para archivos es usado. Un Administrador System puede probar la existencia de un archivo arbitrario"
}
],
"id": "CVE-2017-18876",
"lastModified": "2024-11-21T03:21:09.427",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T17:15:12.177",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 20:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when Single Sign-On OAuth2 is used. An attacker could claim somebody else's account.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B9810018-925D-4842-A38A-00743CDBFCC0",
"versionEndExcluding": "3.9.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "592EBE66-F1CC-46C6-BB06-D204C5C20544",
"versionEndExcluding": "3.10.2",
"versionStartIncluding": "3.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when Single Sign-On OAuth2 is used. An attacker could claim somebody else\u0027s account."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.0.0, 3.10.2 y 3.9.2, cuando Single Sign-On OAuth2 es usado. Un atacante podr\u00eda demandar la cuenta de otra persona"
}
],
"id": "CVE-2017-18906",
"lastModified": "2024-11-21T03:21:13.783",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T20:15:12.147",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-10-09 11:15
Modified
2024-11-21 08:41
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Mattermost fails to properly check the creator of an attached file when adding the file to a draft post, potentially exposing unauthorized file information.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "714E3E9F-A35A-456F-B198-C1CBD09169C6",
"versionEndExcluding": "7.8.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "135D194F-2285-4EB4-9963-5BCB97F6BC6B",
"versionEndExcluding": "8.0.3",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AC20942B-35AD-4EF5-8878-6E112865E3D5",
"versionEndExcluding": "8.1.2",
"versionStartIncluding": "8.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost fails to properly check the creator of an attached file when adding the file to a draft post,\u00a0potentially exposing unauthorized file information.\n\n"
},
{
"lang": "es",
"value": "Mattermost no verifica adecuadamente el creador de un archivo adjunto al agregar el fichero a un borrador de publicaci\u00f3n, lo que potencialmente expone informaci\u00f3n del archivo no autorizada."
}
],
"id": "CVE-2023-5331",
"lastModified": "2024-11-21T08:41:32.870",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-09T11:15:11.280",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 20:15
Modified
2024-11-21 02:45
Severity ?
Summary
An issue was discovered in Mattermost Server before 3.1.0. It allows XSS via theme color-code values.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F13C7A3C-89E4-48CD-8990-EA7B19217A86",
"versionEndExcluding": "3.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.1.0. It allows XSS via theme color-code values."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 3.1.0. Permite un ataque de tipo XSS por medio de valores de c\u00f3digo de color del tema"
}
],
"id": "CVE-2016-11070",
"lastModified": "2024-11-21T02:45:25.820",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T20:15:11.210",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 14:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. There are weak permissions for configuration files.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 5.18.0 | |
| mattermost | mattermost_server | 5.18.0 | |
| mattermost | mattermost_server | 5.18.0 | |
| mattermost | mattermost_server | 5.18.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4A5BE0A1-194D-4E16-8547-2290F3BF777D",
"versionEndExcluding": "5.9.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "87675506-EA42-48F1-B12B-C137D58A31BC",
"versionEndExcluding": "5.15.4",
"versionStartIncluding": "5.15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "88A5E809-55F9-4B8C-8CC9-D2263632626E",
"versionEndExcluding": "5.16.4",
"versionStartIncluding": "5.16.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1861A510-327D-452B-A4FA-12204ECA2358",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.18.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "5966FFD8-6763-48E0-85A3-6624241F6FAB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.18.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "51C15C53-6CCF-4A49-AAF2-88AE72E2216F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.18.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "F46E3522-C7EB-4139-84F5-AFCED85D3C19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.18.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "7A353365-71E8-4382-9212-BD4495F5CF7E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. There are weak permissions for configuration files."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.18.0, 5.17.2, 5.16.4, 5.15.4 y 5.9.7. Se presentan permisos d\u00e9biles para los archivos de configuraci\u00f3n"
}
],
"id": "CVE-2019-20843",
"lastModified": "2024-11-21T04:39:30.693",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T14:15:10.433",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-281"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-11-09 18:15
Modified
2024-11-14 17:11
Severity ?
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
Mattermost versions 9.11.x <= 9.11.2, and 9.5.x <= 9.5.10 fail to protect the mfa code against replay attacks, which allows an attacker to reuse the MFA code within ~30 seconds
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0800FBCC-ACA5-4DD4-BEF5-4556B40F31BE",
"versionEndExcluding": "9.5.11",
"versionStartIncluding": "9.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8E0D68CA-544B-4031-AEAA-D6DD19F0424D",
"versionEndExcluding": "9.11.3",
"versionStartIncluding": "9.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 9.11.x \u003c= 9.11.2, and 9.5.x \u003c= 9.5.10 fail to\u00a0protect the mfa code against replay attacks, which allows an attacker to reuse the MFA code within\u00a0~30 seconds"
},
{
"lang": "es",
"value": "Las versiones 9.11.x \u0026lt;= 9.11.2 y 9.5.x \u0026lt;= 9.5.10 de Mattermost no protegen el c\u00f3digo MFA contra ataques de repetici\u00f3n, lo que permite a un atacante reutilizar el c\u00f3digo MFA en aproximadamente 30 segundos."
}
],
"id": "CVE-2024-36250",
"lastModified": "2024-11-14T17:11:23.913",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-11-09T18:15:14.747",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-303"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-294"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 19:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. E-mail notifications can have spoofed links.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0FC88F96-4FC6-4A4D-952A-B130E581D48A",
"versionEndExcluding": "3.6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A164D156-BF18-421E-B54A-983E24E0F4A0",
"versionEndExcluding": "3.7.5",
"versionStartIncluding": "3.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "86BDAD96-71AA-4D79-B6E6-142D00B2C799",
"versionEndExcluding": "3.8.2",
"versionStartIncluding": "3.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. E-mail notifications can have spoofed links."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 3.8.2, 3.7.5 y 3.6.7. Las notificaciones de correo electr\u00f3nico pueden tener enlaces falsificados"
}
],
"id": "CVE-2017-18910",
"lastModified": "2024-11-21T03:21:14.373",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T19:15:11.887",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-03-10 17:45
Modified
2024-11-21 06:39
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A call stack overflow bug in the SAML login feature in Mattermost server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted POST body.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EB80E0B0-05BC-4BB4-B26A-9981A770EBEA",
"versionEndExcluding": "5.37.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CA6540C7-2107-4D58-B4AF-B0147A05F11D",
"versionEndExcluding": "6.1.3",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2ACEA26F-E5FD-4556-8201-FD21611B3B3F",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "6.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "71AED082-2B61-48CD-BDE0-A1476B36D7E5",
"versionEndExcluding": "6.3.3",
"versionStartIncluding": "6.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A call stack overflow bug in the SAML login feature in Mattermost server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted POST body."
},
{
"lang": "es",
"value": "Un bug de desbordamiento de pila de llamadas en la funci\u00f3n de inicio de sesi\u00f3n SAML en el servidor Mattermost en versiones hasta la 6.3.2 incluy\u00e9ndola, permite a un atacante bloquear el servidor mediante el env\u00edo de un cuerpo POST malintencionadamente dise\u00f1ado"
}
],
"id": "CVE-2022-0903",
"lastModified": "2024-11-21T06:39:38.197",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-10T17:45:00.063",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 16:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information during user activation/deactivation.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 5.9.0 | |
| mattermost | mattermost_server | 5.9.0 | |
| mattermost | mattermost_server | 5.9.0 | |
| mattermost | mattermost_server | 5.9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "622E94AF-4BC7-42D4-B750-F72EECB98C8A",
"versionEndExcluding": "4.10.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "93D446DC-CA4C-4C09-80DA-525D91E2EA36",
"versionEndExcluding": "5.7.3",
"versionStartIncluding": "5.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "243BABD9-CBA3-49EB-9F09-C9F1B98BF11C",
"versionEndExcluding": "5.8.1",
"versionStartIncluding": "5.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B769FC2A-E54F-4C2C-A42B-3FC78B90F4EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "49479373-44B5-4CFF-9F92-44534F99CED6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "314EB74B-91A9-4D97-A97F-365E214BD105",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "FF4140FA-6A46-4307-B78D-1A0A6C73B0A5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information during user activation/deactivation."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.9.0, 5.8.1, 5.7.3 y 4.10.8. Permite a atacantes obtener informaci\u00f3n confidencial durante una activaci\u00f3n/desactivaci\u00f3n del usuario"
}
],
"id": "CVE-2019-20873",
"lastModified": "2024-11-21T04:39:35.160",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T16:15:10.767",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-08-01 15:15
Modified
2024-09-04 16:55
Severity ?
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
Mattermost versions 9.9.x <= 9.9.0 and 9.5.x <= 9.5.6 fail to validate the source of sync messages and only allow the correct remote IDs, which allows a malicious remote to set arbitrary RemoteId values for synced users and therefore claim that a user was synced from another remote.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 9.9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CBEB8F40-C2DE-4E6F-8772-1BBCA44795A8",
"versionEndExcluding": "9.5.7",
"versionStartIncluding": "9.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:9.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4BE71910-C7C4-4F33-BFD4-40D2EAA56DB1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 9.9.x \u003c= 9.9.0 and 9.5.x \u003c= 9.5.6 fail to validate the source of sync messages and only allow the correct remote IDs,\u00a0which allows a malicious remote to\u00a0set arbitrary RemoteId values for synced users and therefore\u00a0claim that a user was synced from another remote."
},
{
"lang": "es",
"value": " Las versiones 9.9.x \u0026lt;= 9.9.0 y 9.5.x \u0026lt;= 9.5.6 de Mattermost no validan el origen de los mensajes de sincronizaci\u00f3n y solo permiten las ID remotas correctas, lo que permite que un control remoto malicioso establezca valores RemoteId arbitrarios para usuarios sincronizados y, por lo tanto, afirmar que un usuario se sincroniz\u00f3 desde otro control remoto."
}
],
"id": "CVE-2024-41926",
"lastModified": "2024-09-04T16:55:35.570",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-08-01T15:15:13.900",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-346"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 17:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.8.0. It does not honor the domain requirement when processing a join request for an open team.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "64F6DEC5-61C3-4F30-A82F-604FF6213C27",
"versionEndExcluding": "5.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.8.0. It does not honor the domain requirement when processing a join request for an open team."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.8.0. No respeta el requisito de dominio cuando procesan una petici\u00f3n de uni\u00f3n para un equipo abierto"
}
],
"id": "CVE-2019-20882",
"lastModified": "2024-11-21T04:39:36.523",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T17:15:13.600",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 17:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6.5, and 4.10.7. It allows attackers to cause a denial of service (memory consumption) via OpenGraph.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 5.8.0 | |
| mattermost | mattermost_server | 5.8.0 | |
| mattermost | mattermost_server | 5.8.0 | |
| mattermost | mattermost_server | 5.8.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "70F0C7AE-BB5D-426C-84CC-2610A58A8267",
"versionEndExcluding": "4.10.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1DACDDEE-B65B-4645-853B-BB58BA504545",
"versionEndExcluding": "5.6.5",
"versionStartIncluding": "5.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "55AE89D4-FD0A-498F-9B2E-F455DA97D686",
"versionEndExcluding": "5.7.2",
"versionStartIncluding": "5.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.8.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "2FE207BF-1014-4D99-8795-130C659429AE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.8.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B0B7D3C4-9B51-4C95-BE86-1EFAB1176DFC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.8.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "91A97AD8-9DFD-478A-A92A-4F6A45AB1A3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.8.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "EA598408-A619-4668-83D0-2C9CCA78D2E5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6.5, and 4.10.7. It allows attackers to cause a denial of service (memory consumption) via OpenGraph."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.8.0, 5.7.2, 5.6.5 y 4.10.7. Permite a atacantes causar una denegaci\u00f3n de servicio (consumo de la memoria) por medio de OpenGraph"
}
],
"id": "CVE-2019-20880",
"lastModified": "2024-11-21T04:39:36.237",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T17:15:13.490",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 16:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. SSRF can attack local services.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 5.9.0 | |
| mattermost | mattermost_server | 5.9.0 | |
| mattermost | mattermost_server | 5.9.0 | |
| mattermost | mattermost_server | 5.9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "622E94AF-4BC7-42D4-B750-F72EECB98C8A",
"versionEndExcluding": "4.10.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "93D446DC-CA4C-4C09-80DA-525D91E2EA36",
"versionEndExcluding": "5.7.3",
"versionStartIncluding": "5.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "243BABD9-CBA3-49EB-9F09-C9F1B98BF11C",
"versionEndExcluding": "5.8.1",
"versionStartIncluding": "5.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B769FC2A-E54F-4C2C-A42B-3FC78B90F4EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "49479373-44B5-4CFF-9F92-44534F99CED6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "314EB74B-91A9-4D97-A97F-365E214BD105",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "FF4140FA-6A46-4307-B78D-1A0A6C73B0A5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. SSRF can attack local services."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.9.0, 5.8.1, 5.7.3 y 4.10.8. Una vulnerabilidad de tipo SSRF puede atacar servicios locales"
}
],
"id": "CVE-2019-20872",
"lastModified": "2024-11-21T04:39:35.023",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T16:15:10.703",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 20:15
Modified
2024-11-21 02:45
Severity ?
Summary
An issue was discovered in Mattermost Server before 2.1.0. It allows XSS via CSRF.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CDA28681-C811-4EEF-B896-A0E09CBC6A32",
"versionEndExcluding": "2.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 2.1.0. It allows XSS via CSRF."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 2.1.0. Permite un ataque de tipo XSS por medio de un problema tipo CSRF"
}
],
"id": "CVE-2016-11084",
"lastModified": "2024-11-21T02:45:27.817",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T20:15:12.023",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 20:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. A password-reset request was sometime sent to an attacker-provided e-mail address.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B9810018-925D-4842-A38A-00743CDBFCC0",
"versionEndExcluding": "3.9.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "592EBE66-F1CC-46C6-BB06-D204C5C20544",
"versionEndExcluding": "3.10.2",
"versionStartIncluding": "3.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. A password-reset request was sometime sent to an attacker-provided e-mail address."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.0.0, 3.10.2 y 3.9.2. Una petici\u00f3n de restablecimiento de contrase\u00f1a en alg\u00fan momento fue enviada a una direcci\u00f3n de correo electr\u00f3nico proporcionada por el atacante"
}
],
"id": "CVE-2017-18908",
"lastModified": "2024-11-21T03:21:14.067",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T20:15:12.257",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-15 10:15
Modified
2024-12-13 17:15
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Mattermost Jira plugin versions shipped with Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to escape user-controlled outputs when generating HTML pages, which allows an attacker to perform reflected cross-site scripting attacks against the users of the Mattermost server.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0ADAC025-32F2-4971-81F3-4D2939890060",
"versionEndExcluding": "8.1.10",
"versionStartIncluding": "8.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "71A20DFB-85FA-480C-956A-24B50AB1862D",
"versionEndExcluding": "9.2.6",
"versionStartIncluding": "9.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AA0D2B39-6A65-4B91-925D-20087EF4CCB9",
"versionEndExcluding": "9.3.2",
"versionStartIncluding": "9.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "74D75B50-ED53-47E4-A43A-1D3D8CFE4F8E",
"versionEndExcluding": "9.4.3",
"versionStartIncluding": "9.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost Jira plugin versions shipped with Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to escape user-controlled outputs when generating HTML pages, which allows an attacker to perform reflected cross-site scripting attacks against the users of the Mattermost server.\n\n"
},
{
"lang": "es",
"value": "Las versiones del complemento Mattermost Jira enviadas con las versiones 8.1.x anteriores a 8.1.10, 9.2.x anteriores a 9.2.6, 9.3.x anteriores a 9.3.2 y 9.4.x anteriores a 9.4.3 no logran escapar de las salidas controladas por el usuario al generar HTML. p\u00e1ginas, lo que permite a un atacante realizar ataques de cross-site scripting reflejados contra los usuarios del servidor Mattermost."
}
],
"id": "CVE-2024-2445",
"lastModified": "2024-12-13T17:15:49.207",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-15T10:15:07.923",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 14:15
Modified
2024-11-21 05:03
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.19.0. Attackers can rename a channel and cause a collision with a direct message, aka MMSA-2020-0002.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9D22B938-D5E9-4752-B457-AB6203BCE388",
"versionEndExcluding": "5.19.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.19.0. Attackers can rename a channel and cause a collision with a direct message, aka MMSA-2020-0002."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.19.0. Unos atacantes pueden cambiar el nombre de un canal y causar una colisi\u00f3n con un mensaje directo, tambi\u00e9n se conoce como MMSA-2020-0002"
}
],
"id": "CVE-2020-14459",
"lastModified": "2024-11-21T05:03:19.870",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T14:15:11.963",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 19:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via the author_link field of a Slack attachment.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72250CFB-47F9-40AE-BBD0-179D27CCF49D",
"versionEndExcluding": "4.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7FE7E6F1-5B34-4D19-8B93-ED2E9EFFCAF3",
"versionEndExcluding": "4.2.1",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FB71A82C-2F6A-49EC-A541-1600304F4D37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "91E5A299-021B-451B-95E2-4DC2DD6FF50B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "471DFF36-36F3-4904-B5E9-091C259181A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "A8772DEC-C002-443E-9609-1CC2A6FD8037",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via the author_link field of a Slack attachment."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.3.0, 4.2.1 y 4.1.2. Un ataque de tipo XSS podr\u00eda presentarse por medio del campo author_link de un archivo adjunto de Slack"
}
],
"id": "CVE-2017-18879",
"lastModified": "2024-11-21T03:21:09.857",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T19:15:10.077",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 20:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. XSS can occur via a link on an error page.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0FC88F96-4FC6-4A4D-952A-B130E581D48A",
"versionEndExcluding": "3.6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A164D156-BF18-421E-B54A-983E24E0F4A0",
"versionEndExcluding": "3.7.5",
"versionStartIncluding": "3.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "86BDAD96-71AA-4D79-B6E6-142D00B2C799",
"versionEndExcluding": "3.8.2",
"versionStartIncluding": "3.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. XSS can occur via a link on an error page."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 3.8.2, 3.7.5 y 3.6.7. Un ataque de tipo XSS puede presentarse por medio de un enlace en una p\u00e1gina de error"
}
],
"id": "CVE-2017-18913",
"lastModified": "2024-11-21T03:21:14.800",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T20:15:12.320",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-19 21:15
Modified
2024-11-21 06:40
Severity ?
4.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which allows an authenticated and an authorized user to install and exploit an old plugin version from the Marketplace which might have known vulnerabilities.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F4F225C4-48B7-456B-ABD4-1FD2ADD47668",
"versionEndExcluding": "6.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which allows an authenticated and an authorized user to install and exploit an old plugin version from the Marketplace which might have known vulnerabilities."
},
{
"lang": "es",
"value": "Mattermost versiones 6.4.x y anteriores, no comprueban apropiadamente la versi\u00f3n del plugin cuando es instalado un plugin desde el Marketplace, lo que permite a un usuario autenticado y autorizado instalar y explotar una versi\u00f3n antigua del plugin desde el Marketplace que podr\u00eda tener vulnerabilidades conocidas"
}
],
"id": "CVE-2022-1384",
"lastModified": "2024-11-21T06:40:37.257",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-19T21:15:14.047",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-477"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-29 08:15
Modified
2025-01-10 15:34
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Mattermost fails to properly authorize the requests fetching team associated AD/LDAP groups, allowing a user to fetch details of AD/LDAP groups of a team that they are not a member of.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 9.3.0 | |
| mattermost | mattermost_server | 9.3.0 | |
| mattermost | mattermost_server | 9.3.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EEF3AB70-F893-4C93-B1A6-C6B82F2C1816",
"versionEndExcluding": "8.1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "068FD4E8-B93A-42CE-8F90-F81D66F7FB89",
"versionEndExcluding": "9.2.5",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9B3CC387-1591-408A-A136-9B5B4C921223",
"versionEndExcluding": "9.4.2",
"versionStartIncluding": "9.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:9.3.0:-:*:*:*:*:*:*",
"matchCriteriaId": "8F679A96-8EB0-4D6B-81A0-48A7CB5E955F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:9.3.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "8532CAD6-E40C-4D3B-8323-3F20DB433B7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:9.3.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "680A0F36-FDCB-4BFC-A853-B23DF4605DF3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost fails to properly authorize the requests fetching\u00a0team associated AD/LDAP groups, allowing a user to fetch details of\u00a0AD/LDAP groups of a team that they are not a member of.\u00a0\n\n"
},
{
"lang": "es",
"value": "Mattermost no autoriza adecuadamente las solicitudes que buscan grupos AD/LDAP asociados al equipo, lo que permite a un usuario obtener detalles de los grupos AD/LDAP de un equipo del que no es miembro."
}
],
"id": "CVE-2024-23493",
"lastModified": "2025-01-10T15:34:43.287",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-29T08:15:47.380",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 15:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.17.0. It allows remote attackers to cause a denial of service (client-side application crash) via a LaTeX message.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F8BC655A-1FA1-4DF9-8976-D6C2694A3898",
"versionEndExcluding": "5.17.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.17.0. It allows remote attackers to cause a denial of service (client-side application crash) via a LaTeX message."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.17.0. Permite a atacantes remotos causar una denegaci\u00f3n de servicio (bloqueo de una aplicaci\u00f3n del lado del cliente) por medio de un mensaje LaTeX"
}
],
"id": "CVE-2019-20854",
"lastModified": "2024-11-21T04:39:32.313",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T15:15:10.353",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-12-12 09:15
Modified
2024-11-21 08:44
Severity ?
3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Summary
Mattermost fails to validate team membership when a user attempts to access a playbook, allowing a user with permissions to a playbook but no permissions to the team the playbook is on to access and modify the playbook. This can happen if the user was once a member of the team, got permissions to the playbook and was then removed from the team.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6FA74D02-6508-49A3-960F-22B84B6E5B51",
"versionEndIncluding": "8.1.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D00348C4-CEE7-474E-BBDC-4A66D6BBA4C8",
"versionEndIncluding": "9.2.1",
"versionStartIncluding": "9.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost fails to validate team membership when a user attempts to access a playbook, allowing a user with permissions to a playbook but no permissions to the team the playbook is on to access and modify the playbook. This can happen if the user was once a member of the team, got permissions to the playbook and was then removed from the team.\u00a0\n\n"
},
{
"lang": "es",
"value": "Mattermost no valida la membres\u00eda del equipo cuando un usuario intenta acceder a un playbook, lo que permite que un usuario con permisos para un playbook pero sin permisos para el equipo en el que se encuentra el playbook acceda y modifique el playbook. Esto puede suceder si el usuario alguna vez fue miembro del equipo, obtuvo permisos para el playbook y luego fue eliminado del equipo."
}
],
"id": "CVE-2023-6547",
"lastModified": "2024-11-21T08:44:04.430",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 2.5,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-12T09:15:09.857",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 14:15
Modified
2024-11-21 05:03
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.20.0. Non-members can receive broadcasted team details via the update_team WebSocket event, aka MMSA-2020-0012.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1F0263B4-5843-4A45-AC5C-9D3CB5FC68FA",
"versionEndExcluding": "5.20.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.20.0. Non-members can receive broadcasted team details via the update_team WebSocket event, aka MMSA-2020-0012."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.20.0. No miembros pueden recibir detalles del equipo transmitido por medio del evento del WebSocket update_team, tambi\u00e9n se conoce como MMSA-2020-0012"
}
],
"id": "CVE-2020-14457",
"lastModified": "2024-11-21T05:03:19.557",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T14:15:11.840",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-09-09 15:15
Modified
2024-11-21 07:18
Severity ?
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
Mattermost version 7.0.x and earlier fails to sufficiently limit the in-memory sizes of concurrently uploaded JPEG images, which allows authenticated users to cause resource exhaustion on specific system configurations, resulting in server-side Denial of Service.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://hackerone.com/reports/1549513 | Permissions Required | |
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hackerone.com/reports/1549513 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CA9875C4-B239-4461-8B31-C814C3A91DB4",
"versionEndExcluding": "7.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost version 7.0.x and earlier fails to sufficiently limit the in-memory sizes of concurrently uploaded JPEG images, which allows authenticated users to cause resource exhaustion on specific system configurations, resulting in server-side Denial of Service."
},
{
"lang": "es",
"value": "Mattermost versiones 7.0.x y anteriores, no limitan suficientemente los tama\u00f1os en memoria de las im\u00e1genes JPEG cargadas simult\u00e1neamente, lo que permite a usuarios autenticados causar el agotamiento de los recursos en configuraciones espec\u00edficas del sistema, resultando en una Denegaci\u00f3n de Servicio del lado del servidor"
}
],
"id": "CVE-2022-3147",
"lastModified": "2024-11-21T07:18:55.493",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-09-09T15:15:15.010",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Permissions Required"
],
"url": "https://hackerone.com/reports/1549513"
},
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://hackerone.com/reports/1549513"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 19:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to add DEBUG lines to the logs via a REST API version 3 logging endpoint.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 4.2.0 | |
| mattermost | mattermost_server | 4.2.0 | |
| mattermost | mattermost_server | 4.2.0 | |
| mattermost | mattermost_server | 4.2.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8DABD3D9-ABA0-435A-826E-894B85BF330B",
"versionEndExcluding": "4.0.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C98DA462-E8C3-4011-995F-1D813670A5F7",
"versionEndExcluding": "4.1.1",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "DBCAAA7B-C893-48F1-B72C-06101B26EA48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7103DBD3-7169-4EF7-8354-122E98FBE442",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.2.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "C1F4BE86-1DEE-4730-8CC6-64A05A0C85EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.2.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "B725A0DC-8A41-4788-A705-2EE23EE13009",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to add DEBUG lines to the logs via a REST API version 3 logging endpoint."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.2.0, 4.1.1 y 4.0.5. Permite a atacantes agregar l\u00edneas DEBUG en los registros por medio de un endpoint de registro de la API REST versi\u00f3n 3"
}
],
"id": "CVE-2017-18896",
"lastModified": "2024-11-21T03:21:12.323",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T19:15:11.247",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-03-31 12:15
Modified
2024-11-21 07:39
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 7.7.1 | |
| mattermost | mattermost_server | 7.8.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "68480D55-9BBC-46E3-8DE9-A2F13F2F8853",
"versionEndExcluding": "7.1.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:7.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BB8E1831-9267-467F-A646-84052F0A3FAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:7.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F76672DF-2ABD-4C95-A7CB-65AC3AA3F2C9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message.\n\n"
}
],
"id": "CVE-2023-1777",
"lastModified": "2024-11-21T07:39:53.243",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-03-31T12:15:06.803",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-668"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 20:15
Modified
2024-11-21 02:45
Severity ?
Summary
An issue was discovered in Mattermost Server before 3.2.0. Attackers could read LDAP fields via injection.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6DD41DB0-EC52-4C5C-9B80-05DD3E21B184",
"versionEndExcluding": "3.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.2.0. Attackers could read LDAP fields via injection."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 3.2.0. Los atacantes pod\u00edan leer los campos LDAP mediante inyecci\u00f3n"
}
],
"id": "CVE-2016-11068",
"lastModified": "2024-11-21T02:45:25.550",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T20:15:10.790",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 19:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to obtain sensitive information (user statuses) via a REST API version 4 endpoint.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 4.2.0 | |
| mattermost | mattermost_server | 4.2.0 | |
| mattermost | mattermost_server | 4.2.0 | |
| mattermost | mattermost_server | 4.2.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8DABD3D9-ABA0-435A-826E-894B85BF330B",
"versionEndExcluding": "4.0.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C98DA462-E8C3-4011-995F-1D813670A5F7",
"versionEndExcluding": "4.1.1",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "DBCAAA7B-C893-48F1-B72C-06101B26EA48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7103DBD3-7169-4EF7-8354-122E98FBE442",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.2.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "C1F4BE86-1DEE-4730-8CC6-64A05A0C85EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.2.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "B725A0DC-8A41-4788-A705-2EE23EE13009",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to obtain sensitive information (user statuses) via a REST API version 4 endpoint."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.2.0, 4.1.1 y 4.0.5. Permite a atacantes obtener informaci\u00f3n confidencial (estados de los usuarios) por medio de un endpoint de la API REST versi\u00f3n 4"
}
],
"id": "CVE-2017-18895",
"lastModified": "2024-11-21T03:21:12.173",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T19:15:11.030",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-09-26 08:15
Modified
2024-09-26 18:42
Severity ?
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Summary
Mattermost versions 9.5.x <= 9.5.8 fail to include the metadata endpoints of Oracle Cloud and Alibaba in the SSRF denylist, which allows an attacker to possibly cause an SSRF if Mattermost was deployed in Oracle Cloud or Alibaba.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BC97EDD1-AD9D-484B-99B0-D49541EFBA52",
"versionEndExcluding": "9.5.9",
"versionStartIncluding": "9.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 9.5.x \u003c= 9.5.8 fail to include the\u00a0metadata endpoints of\u00a0Oracle Cloud and Alibaba in the SSRF denylist, which allows\u00a0an attacker to possibly cause an SSRF if Mattermost was deployed in Oracle Cloud or Alibaba."
},
{
"lang": "es",
"value": "Las versiones 9.5.x \u0026lt;= 9.5.8 de Mattermost no incluyen los endpoints de metadatos de Oracle Cloud y Alibaba en la lista de denegaci\u00f3n de SSRF, lo que permite que un atacante posiblemente provoque una SSRF si Mattermost se implement\u00f3 en Oracle Cloud o Alibaba."
}
],
"id": "CVE-2024-45843",
"lastModified": "2024-09-26T18:42:26.697",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-09-26T08:15:06.020",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 17:15
Modified
2024-11-21 04:03
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.2 and 5.1.1. Authorization could be bypassed if the channel name were not the same in the params and the body.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 5.2.0 | |
| mattermost | mattermost_server | 5.2.0 | |
| mattermost | mattermost_server | 5.2.0 | |
| mattermost | mattermost_server | 5.2.0 | |
| mattermost | mattermost_server | 5.2.0 | |
| mattermost | mattermost_server | 5.2.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "502A1D2D-28B3-487C-8AD4-33555F3E5662",
"versionEndExcluding": "5.1.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4278AE6D-09CF-4E82-B728-EDD1DFD6C4D0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "094E718B-6916-4473-A289-5CA8A1291969",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.2.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "6188A07E-A8A2-4573-9882-7FEF4316D688",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.2.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "3D223D23-FE0B-44A5-AEC3-F6935AFFBC0D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.2.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "F3807BAF-FEE4-4A35-8CDA-E3BE991BC117",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.2.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "5821F28D-E507-446F-98CF-9284A588E8CA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.2 and 5.1.1. Authorization could be bypassed if the channel name were not the same in the params and the body."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.2 y 5.1.1. La autorizaci\u00f3n podr\u00eda ser omitida si el nombre del canal no fuera el mismo en los par\u00e1metros y en el cuerpo"
}
],
"id": "CVE-2018-21251",
"lastModified": "2024-11-21T04:03:17.517",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T17:15:12.490",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-12-12 09:15
Modified
2024-11-21 08:33
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Mattermost fails to validate the type of the "reminder" body request parameter allowing an attacker to crash the Playbook Plugin when updating the status dialog.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 9.1.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "367753A5-CE5B-4EA7-8539-6ACFBC9ACABE",
"versionEndIncluding": "7.8.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "553B4894-FB79-4996-BDEC-273EF6E96D9D",
"versionEndIncluding": "8.1.5",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0856C685-4154-4549-B60A-4251C9E6B916",
"versionEndIncluding": "9.0.3",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D31448D3-0970-47A8-A4A5-E7FB05B929EB",
"versionEndIncluding": "9.1.2",
"versionStartIncluding": "9.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D00348C4-CEE7-474E-BBDC-4A66D6BBA4C8",
"versionEndIncluding": "9.2.1",
"versionStartIncluding": "9.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:9.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "90D81EBE-C0B1-40B7-8BE5-8F4598D81814",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost fails to validate the type of the \"reminder\" body request parameter allowing an attacker to crash the Playbook Plugin when updating the status dialog.\n\n"
},
{
"lang": "es",
"value": "Mattermost no logra validar el tipo de par\u00e1metro de solicitud del cuerpo \"recordatorio\", lo que permite a un atacante bloquear el complemento Playbook al actualizar el cuadro de di\u00e1logo de estado."
}
],
"id": "CVE-2023-49607",
"lastModified": "2024-11-21T08:33:37.887",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-12T09:15:08.757",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-754"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-754"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-07-17 16:15
Modified
2024-11-21 08:17
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
Mattermost fails to properly validate markdown, allowing an attacker to crash the server via a specially crafted markdown input.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3F71A811-27D2-4953-9C3A-4AC6B27AF1A8",
"versionEndExcluding": "7.8.7",
"versionStartIncluding": "7.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B0D66512-A095-4557-A9AD-B02E306FC1C9",
"versionEndExcluding": "7.9.5",
"versionStartIncluding": "7.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "401CC11A-1059-44A2-87BA-601024BD178E",
"versionEndExcluding": "7.10.3",
"versionStartIncluding": "7.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost fails to properly validate markdown, allowing an attacker to crash the server via a specially crafted markdown input.\n\n"
}
],
"id": "CVE-2023-3593",
"lastModified": "2024-11-21T08:17:37.570",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-17T16:15:11.037",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 19:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by using a registered OAuth application with personal access tokens.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72250CFB-47F9-40AE-BBD0-179D27CCF49D",
"versionEndExcluding": "4.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7FE7E6F1-5B34-4D19-8B93-ED2E9EFFCAF3",
"versionEndExcluding": "4.2.1",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FB71A82C-2F6A-49EC-A541-1600304F4D37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "91E5A299-021B-451B-95E2-4DC2DD6FF50B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "471DFF36-36F3-4904-B5E9-091C259181A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "A8772DEC-C002-443E-9609-1CC2A6FD8037",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by using a registered OAuth application with personal access tokens."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.3.0, 4.2.1 y 4.1.2. Permite a atacantes obtener privilegios mediante el uso de una aplicaci\u00f3n OAuth registrada con tokens de acceso personal"
}
],
"id": "CVE-2017-18884",
"lastModified": "2024-11-21T03:21:10.553",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T19:15:10.373",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-01-02 10:15
Modified
2024-11-21 08:30
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Mattermost fails to properly verify the permissions needed for viewing archived public channels, allowing a member of one team to get details about the archived public channels of another team via the GET /api/v4/teams/<team-id>/channels/deleted endpoint.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4FFBD373-195D-4481-B87D-5B329DBEC33D",
"versionEndExcluding": "8.1.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "707E5CDF-AD8D-4D91-8DE8-B32E6E06003B",
"versionEndExcluding": "9.0.5",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "689E6CCF-B722-4C95-AAB6-010CC285CF80",
"versionEndExcluding": "9.1.4",
"versionStartIncluding": "9.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "51A35D8A-9E04-4450-B27E-401B9D43CC12",
"versionEndExcluding": "9.2.3",
"versionStartIncluding": "9.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost fails to properly verify the permissions needed for viewing archived public channels,\u00a0\u00a0allowing a member of one team to get details about the archived public channels of another team via the\u00a0GET /api/v4/teams/\u003cteam-id\u003e/channels/deleted endpoint.\n\n"
},
{
"lang": "es",
"value": "Mattermost no verifica adecuadamente los permisos necesarios para ver los canales p\u00fablicos archivados, lo que permite que un miembro de un equipo obtenga detalles sobre los canales p\u00fablicos archivados de otro equipo a trav\u00e9s de GET /api/v4/teams//channels/deleted endpoint."
}
],
"id": "CVE-2023-47858",
"lastModified": "2024-11-21T08:30:55.513",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-01-02T10:15:08.117",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-08-25 10:15
Modified
2024-11-21 08:35
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Summary
Mattermost fails to restrict which parameters' values it takes from the request during signup allowing an attacker to register users as inactive, thus blocking them from later accessing Mattermost without the system admin activating their accounts.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 8.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7F550344-4A29-4354-9AB9-9E9168B81908",
"versionEndExcluding": "7.8.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "78A07BB1-20D2-41B4-9823-B3EF8CDFC997",
"versionEndExcluding": "7.10.5",
"versionStartIncluding": "7.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:8.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E47E76CA-0C92-4039-8448-D6618DF531CD",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost fails to restrict which parameters\u0027 values it takes from the request during signup allowing an attacker to register users as inactive, thus blocking them from later accessing Mattermost without the system admin activating their accounts.\n\n"
},
{
"lang": "es",
"value": "Mattermost no restringe los valores de los par\u00e1metros que toma de la solicitud durante el registro, lo que permite a un atacante registrar a los usuarios como inactivos, bloque\u00e1ndoles as\u00ed el acceso posterior a Mattermost sin que el administrador del sistema active sus cuentas."
}
],
"id": "CVE-2023-4478",
"lastModified": "2024-11-21T08:35:15.067",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-08-25T10:15:09.687",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-08-01 15:15
Modified
2024-09-04 17:38
Severity ?
3.8 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Summary
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly restrict channel creation which allows a malicious remote to create arbitrary channels, when shared channels were enabled.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 9.9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CBEB8F40-C2DE-4E6F-8772-1BBCA44795A8",
"versionEndExcluding": "9.5.7",
"versionStartIncluding": "9.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:9.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4BE71910-C7C4-4F33-BFD4-40D2EAA56DB1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 9.9.x \u003c= 9.9.0, 9.5.x \u003c= 9.5.6 fail to properly restrict channel creation\u00a0which allows\u00a0a malicious remote to create arbitrary channels,\u00a0when shared channels were enabled."
},
{
"lang": "es",
"value": " Las versiones 9.9.x \u0026lt;= 9.9.0, 9.5.x \u0026lt;= 9.5.6 de Mattermost no restringen adecuadamente la creaci\u00f3n de canales, lo que permite que un control remoto malicioso cree canales arbitrarios, cuando los canales compartidos estaban habilitados."
}
],
"id": "CVE-2024-39837",
"lastModified": "2024-09-04T17:38:42.297",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 2.5,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-08-01T15:15:12.790",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-29 08:15
Modified
2025-01-10 15:38
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
Mattermost fails to properly validate the length of the emoji value in the custom user status, allowing an attacker to send multiple times a very long string as an emoji value causing high resource consumption and possibly crashing the server.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8BEDF730-8343-4F71-9C8B-0FAEF0BC7248",
"versionEndExcluding": "8.1.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B5A5F372-12BE-4A46-864C-BEEB37339927",
"versionEndExcluding": "9.1.5",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7869A30E-31F8-4BCD-99F1-B0296E44D6D0",
"versionEndExcluding": "9.2.4",
"versionStartIncluding": "9.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost fails to properly validate the length of the emoji value in the custom user status, allowing an attacker to send\u00a0multiple times a very long string as an emoji value causing high resource consumption and possibly crashing the server.\n\n"
},
{
"lang": "es",
"value": "Mattermost no logra validar adecuadamente la longitud del valor emoji en el estado de usuario personalizado, lo que permite a un atacante enviar varias veces una cadena muy larga como valor emoji, lo que provoca un alto consumo de recursos y posiblemente fallar el servidor."
}
],
"id": "CVE-2024-24988",
"lastModified": "2025-01-10T15:38:05.187",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-29T08:15:47.640",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 14:15
Modified
2024-11-21 05:03
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.19.0. Attackers can discover private channels via the "get channel by name" API, aka MMSA-2020-0004.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9D22B938-D5E9-4752-B457-AB6203BCE388",
"versionEndExcluding": "5.19.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.19.0. Attackers can discover private channels via the \"get channel by name\" API, aka MMSA-2020-0004."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.19.0. Unos atacantes pueden detectar canales privados por medio de la API \"get channel by name\", tambi\u00e9n se conoce como MMSA-2020-0004"
}
],
"id": "CVE-2020-14458",
"lastModified": "2024-11-21T05:03:19.713",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T14:15:11.917",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-12-12 09:15
Modified
2024-11-21 08:29
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plugin allowing an attacker to get limited information about a post if they know the post ID
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "367753A5-CE5B-4EA7-8539-6ACFBC9ACABE",
"versionEndIncluding": "7.8.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "553B4894-FB79-4996-BDEC-273EF6E96D9D",
"versionEndIncluding": "8.1.5",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0856C685-4154-4549-B60A-4251C9E6B916",
"versionEndIncluding": "9.0.3",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9AB6EA21-B7ED-487D-B131-FA200023179E",
"versionEndIncluding": "9.1.2",
"versionStartIncluding": "9.1.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D00348C4-CEE7-474E-BBDC-4A66D6BBA4C8",
"versionEndIncluding": "9.2.1",
"versionStartIncluding": "9.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plugin allowing an attacker to get limited information about a post if they know the post ID\n\n"
},
{
"lang": "es",
"value": "Mattermost no realiza comprobaciones de autorizaci\u00f3n en el endpoint /plugins/playbooks/api/v0/runs/add-to-timeline-dialog del complemento Playbooks, lo que permite a un atacante obtener informaci\u00f3n limitada sobre una publicaci\u00f3n si conoce el ID de la publicaci\u00f3n."
}
],
"id": "CVE-2023-46701",
"lastModified": "2024-11-21T08:29:06.583",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-12T09:15:08.180",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-639"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-01-02 10:15
Modified
2024-11-21 08:32
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Mattermost fails to scope the WebSocket response around notified users to a each user separately resulting in the WebSocket broadcasting the information about who was notified about a post to everyone else in the channel.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4FFBD373-195D-4481-B87D-5B329DBEC33D",
"versionEndExcluding": "8.1.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost fails to scope the WebSocket response around notified users\u00a0to a each user separately resulting in the\u00a0WebSocket broadcasting the information about who was notified about a post to everyone else in the channel.\n\n"
},
{
"lang": "es",
"value": "Mattermost no logra abarcar la respuesta de WebSocket en torno a los usuarios notificados para cada usuario por separado, lo que hace que WebSocket transmita la informaci\u00f3n sobre qui\u00e9n fue notificado sobre una publicaci\u00f3n a todos los dem\u00e1s en el canal."
}
],
"id": "CVE-2023-48732",
"lastModified": "2024-11-21T08:32:20.653",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-01-02T10:15:08.487",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 19:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. Sometimes. resource-owner authorization is bypassed, allowing account takeover.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 4.2.0 | |
| mattermost | mattermost_server | 4.2.0 | |
| mattermost | mattermost_server | 4.2.0 | |
| mattermost | mattermost_server | 4.2.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8DABD3D9-ABA0-435A-826E-894B85BF330B",
"versionEndExcluding": "4.0.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C98DA462-E8C3-4011-995F-1D813670A5F7",
"versionEndExcluding": "4.1.1",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "DBCAAA7B-C893-48F1-B72C-06101B26EA48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7103DBD3-7169-4EF7-8354-122E98FBE442",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.2.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "C1F4BE86-1DEE-4730-8CC6-64A05A0C85EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.2.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "B725A0DC-8A41-4788-A705-2EE23EE13009",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. Sometimes. resource-owner authorization is bypassed, allowing account takeover."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.2.0, 4.1.1 y 4.0.5, cuando se usaba como proveedor de servicios OAuth versi\u00f3n 2.0. Algunas veces, es omitida la autorizaci\u00f3n del propietario del recurso, lo que permite la toma de control de la cuenta"
}
],
"id": "CVE-2017-18894",
"lastModified": "2024-11-21T03:21:12.023",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T19:15:10.967",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-12-06 09:15
Modified
2024-11-21 08:43
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Mattermost is grouping calls in the /metrics endpoint by id and reports that id in the response. Since this id is the channelID, the public /metrics endpoint is revealing channelIDs.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6DC0F1AE-87E5-483B-BD2A-945BE99CD487",
"versionEndExcluding": "7.8.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "82659141-9C39-492A-9DF2-B2E293E151BE",
"versionEndExcluding": "8.1.5",
"versionStartIncluding": "8.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost is grouping calls in\u00a0the /metrics endpoint by id and reports that id in the response. Since this id is the channelID, the public /metrics endpoint is revealing channelIDs.\n\n"
},
{
"lang": "es",
"value": "Mattermost agrupa llamadas en el endpoint /metrics por identificaci\u00f3n e informar esa identificaci\u00f3n en la respuesta. Dado que esta identificaci\u00f3n es la ID del canal, el endpoint p\u00fablico /metrics revela los ID de los canales."
}
],
"id": "CVE-2023-6459",
"lastModified": "2024-11-21T08:43:54.087",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-06T09:15:09.140",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 20:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 3.7.0 and 3.6.3. Attackers can use the API for unauthenticated team creation.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "71AC31E7-7EF0-4561-BEB4-7EECA2D7126D",
"versionEndExcluding": "3.6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.7.0 and 3.6.3. Attackers can use the API for unauthenticated team creation."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 3.7.0 y 3.6.3. Los atacantes pueden usar la API para la creaci\u00f3n de un equipo no autenticado"
}
],
"id": "CVE-2017-18919",
"lastModified": "2024-11-21T03:21:15.647",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T20:15:12.647",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 16:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. The Markdown library allows catastrophic backtracking.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 5.9.0 | |
| mattermost | mattermost_server | 5.9.0 | |
| mattermost | mattermost_server | 5.9.0 | |
| mattermost | mattermost_server | 5.9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "622E94AF-4BC7-42D4-B750-F72EECB98C8A",
"versionEndExcluding": "4.10.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "93D446DC-CA4C-4C09-80DA-525D91E2EA36",
"versionEndExcluding": "5.7.3",
"versionStartIncluding": "5.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "243BABD9-CBA3-49EB-9F09-C9F1B98BF11C",
"versionEndExcluding": "5.8.1",
"versionStartIncluding": "5.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B769FC2A-E54F-4C2C-A42B-3FC78B90F4EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "49479373-44B5-4CFF-9F92-44534F99CED6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "314EB74B-91A9-4D97-A97F-365E214BD105",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.9.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "FF4140FA-6A46-4307-B78D-1A0A6C73B0A5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. The Markdown library allows catastrophic backtracking."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.9.0, 5.8.1, 5.7.3 y 4.10.8. La biblioteca Markdown permite un retroceso (backtracking) catastr\u00f3fico"
}
],
"id": "CVE-2019-20871",
"lastModified": "2024-11-21T04:39:34.877",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T16:15:10.640",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 14:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. CSRF can sometimes occur via a crafted web site for account takeover attacks.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 5.18.0 | |
| mattermost | mattermost_server | 5.18.0 | |
| mattermost | mattermost_server | 5.18.0 | |
| mattermost | mattermost_server | 5.18.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4A5BE0A1-194D-4E16-8547-2290F3BF777D",
"versionEndExcluding": "5.9.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "87675506-EA42-48F1-B12B-C137D58A31BC",
"versionEndExcluding": "5.15.4",
"versionStartIncluding": "5.15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "88A5E809-55F9-4B8C-8CC9-D2263632626E",
"versionEndExcluding": "5.16.4",
"versionStartIncluding": "5.16.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1861A510-327D-452B-A4FA-12204ECA2358",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.18.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "5966FFD8-6763-48E0-85A3-6624241F6FAB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.18.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "51C15C53-6CCF-4A49-AAF2-88AE72E2216F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.18.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "F46E3522-C7EB-4139-84F5-AFCED85D3C19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.18.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "7A353365-71E8-4382-9212-BD4495F5CF7E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. CSRF can sometimes occur via a crafted web site for account takeover attacks."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.18.0, 5.17.2, 5.16.4, 5.15.4 y 5.9.7. Una vulnerabilidad de tipo CSRF algunas veces puede presentarse por medio de un sitio web dise\u00f1ado para ataques de toma de control de la cuenta"
}
],
"id": "CVE-2019-20841",
"lastModified": "2024-11-21T04:39:30.377",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T14:15:10.307",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-07-17 16:15
Modified
2024-11-21 08:17
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Summary
Mattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing guest accounts to be added or invited to channels by default.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5EF06AD9-9108-4E29-9341-A0ABE8504ECA",
"versionEndExcluding": "7.8.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FF521020-FD9F-43BB-8EF7-F676DFA893C5",
"versionEndExcluding": "7.10.3",
"versionStartIncluding": "7.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing\u00a0guest accounts to be added or invited to channels by default. \n\n"
}
],
"id": "CVE-2023-3613",
"lastModified": "2024-11-21T08:17:40.277",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-17T16:15:11.107",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-12-17 17:15
Modified
2024-11-21 06:15
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
5.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
5.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Summary
Mattermost 6.0 and earlier fails to sufficiently validate parameters during post creation, which allows authenticated attackers to cause a client-side crash of the web application via a maliciously crafted post.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://hackerone.com/reports/1253732 | Permissions Required | |
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hackerone.com/reports/1253732 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A44CD6CB-BDAD-44EE-87D7-33057AF8F055",
"versionEndIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost 6.0 and earlier fails to sufficiently validate parameters during post creation, which allows authenticated attackers to cause a client-side crash of the web application via a maliciously crafted post."
},
{
"lang": "es",
"value": "Mattermost versiones 6.0 y anteriores, no comprueban suficientemente los par\u00e1metros durante la creaci\u00f3n de la entrada, lo que permite a atacantes autenticados causar un bloqueo del lado del cliente de la aplicaci\u00f3n web por medio de una entrada maliciosamente dise\u00f1ada"
}
],
"id": "CVE-2021-37863",
"lastModified": "2024-11-21T06:15:59.913",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-12-17T17:15:12.987",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Permissions Required"
],
"url": "https://hackerone.com/reports/1253732"
},
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://hackerone.com/reports/1253732"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-29 11:15
Modified
2024-12-13 17:07
Severity ?
2.6 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
2.6 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
2.6 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Summary
A race condition in Mattermost versions 8.1.x before 8.1.9, and 9.4.x before 9.4.2 allows an authenticated attacker to gain unauthorized access to individual posts' contents via carefully timed post creation while another user deletes posts.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7D16EAB8-89FC-4745-8C40-CC83EE7A42EE",
"versionEndExcluding": "8.1.9",
"versionStartIncluding": "8.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9B3CC387-1591-408A-A136-9B5B4C921223",
"versionEndExcluding": "9.4.2",
"versionStartIncluding": "9.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A race condition in Mattermost versions 8.1.x before 8.1.9, and 9.4.x before 9.4.2 allows an authenticated attacker to gain unauthorized access to individual posts\u0027 contents via carefully timed post creation while another user deletes posts.\n\n"
},
{
"lang": "es",
"value": "Una condici\u00f3n de ejecuci\u00f3n en las versiones 8.1.x anteriores a 8.1.9 y 9.4.x anteriores a 9.4.2 de Mattermost permite a un atacante autenticado obtener acceso no autorizado al contenido de publicaciones individuales mediante una creaci\u00f3n de publicaciones cuidadosamente programada mientras otro usuario las elimina."
}
],
"id": "CVE-2024-1949",
"lastModified": "2024-12-13T17:07:37.437",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-29T11:15:08.003",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-362"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-09-26 08:15
Modified
2024-10-01 11:15
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Summary
Mattermost versions 9.11.x <= 9.11.0, 9.10.x <= 9.10.1, 9.9.x <= 9.9.2 and 9.5.x <= 9.5.8 fail to properly authorize requests when viewing archived channels is disabled, which allows an attacker to retrieve post and file information about archived channels. Examples are flagged or unread posts as well as files.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 9.11.0 | |
| mattermost | mattermost_server | 9.11.0 | |
| mattermost | mattermost_server | 9.11.0 | |
| mattermost | mattermost_server | 9.11.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BC97EDD1-AD9D-484B-99B0-D49541EFBA52",
"versionEndExcluding": "9.5.9",
"versionStartIncluding": "9.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "20276949-478F-4F2C-9D07-F9B3C04CADD9",
"versionEndExcluding": "9.9.3",
"versionStartIncluding": "9.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6AE34CB3-C7F7-4AAD-888E-5057ACBE9BC4",
"versionEndExcluding": "9.10.2",
"versionStartIncluding": "9.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:9.11.0:-:*:*:*:*:*:*",
"matchCriteriaId": "E7436086-F0AC-4AB8-B611-7B8E1AE2E4F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:9.11.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "D5310C1D-DA5F-46B5-BA33-F7C3D6A63C2F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:9.11.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "BCE22F86-00E2-42E0-8343-D3AD818AA943",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:9.11.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "641065E7-F36F-42F3-A098-B7131DB0D2F5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 9.11.x \u003c= 9.11.0, 9.10.x \u003c= 9.10.1, 9.9.x \u003c= 9.9.2 and 9.5.x \u003c= 9.5.8 fail to properly authorize requests when viewing archived channels is disabled, which allows\u00a0an attacker to retrieve post and file information about archived channels. Examples are flagged or unread posts as well as files."
},
{
"lang": "es",
"value": "Las versiones 9.11.x \u0026lt;= 9.11.0, 9.10.x \u0026lt;= 9.10.1, 9.9.x \u0026lt;= 9.9.2 y 9.5.x \u0026lt;= 9.5.8 de Mattermost no autorizan correctamente las solicitudes cuando la visualizaci\u00f3n de canales archivados est\u00e1 deshabilitada, lo que permite a un atacante recuperar informaci\u00f3n de publicaciones y archivos sobre canales archivados. Algunos ejemplos son las publicaciones marcadas o no le\u00eddas, as\u00ed como los archivos."
}
],
"id": "CVE-2024-42406",
"lastModified": "2024-10-01T11:15:48.450",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-09-26T08:15:05.810",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-03-15 23:15
Modified
2024-11-21 07:39
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
A reflected cross-site scripting vulnerability in the OAuth flow completion endpoints in Mattermost allows an attacker to send AJAX requests on behalf of the victim via sharing a crafted link with a malicious state parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F351E4FF-2CDE-47E5-931B-D64D5683F701",
"versionEndExcluding": "7.7.0",
"versionStartIncluding": "5.32.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A reflected cross-site scripting vulnerability in the OAuth flow completion endpoints in Mattermost allows an attacker to send AJAX requests on behalf of the victim via sharing a crafted link with a malicious state parameter."
}
],
"id": "CVE-2023-1421",
"lastModified": "2024-11-21T07:39:09.463",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-03-15T23:15:09.467",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-08-22 16:15
Modified
2024-10-16 20:07
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.0, 9.8.x <= 9.8.2 fail to enforce permissions which allows a guest user with read access to upload files to a channel.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 9.10.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "32EE0958-90BA-4026-9C64-1823B86F341D",
"versionEndExcluding": "9.5.8",
"versionStartIncluding": "9.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A37536AB-52C7-4670-AA72-86CD7819CD22",
"versionEndExcluding": "9.8.3",
"versionStartIncluding": "9.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4C9BCD18-4646-4440-A826-C5B9C79E9BFB",
"versionEndExcluding": "9.9.2",
"versionStartIncluding": "9.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:9.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B43DB6F9-1C15-45DB-A5E7-E46F4162436B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 9.9.x \u003c= 9.9.1, 9.5.x \u003c= 9.5.7, 9.10.0, 9.8.x \u003c= 9.8.2 fail to enforce permissions which allows a guest user with read access to upload files to a channel."
},
{
"lang": "es",
"value": "Las versiones de Mattermost 9.9.x \u0026lt;= 9.9.1, 9.5.x \u0026lt;= 9.5.7, 9.10.0, 9.8.x \u0026lt;= 9.8.2 no aplican los permisos que permiten a un usuario invitado con acceso de lectura cargar archivos en un canal."
}
],
"id": "CVE-2024-43780",
"lastModified": "2024-10-16T20:07:50.637",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-08-22T16:15:09.897",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 19:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows an attacker to create a button that, when pressed by a user, launches an API request.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72250CFB-47F9-40AE-BBD0-179D27CCF49D",
"versionEndExcluding": "4.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7FE7E6F1-5B34-4D19-8B93-ED2E9EFFCAF3",
"versionEndExcluding": "4.2.1",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FB71A82C-2F6A-49EC-A541-1600304F4D37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "91E5A299-021B-451B-95E2-4DC2DD6FF50B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "471DFF36-36F3-4904-B5E9-091C259181A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "A8772DEC-C002-443E-9609-1CC2A6FD8037",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows an attacker to create a button that, when pressed by a user, launches an API request."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.3.0, 4.2.1 y 4.1.2. Permite a un atacante crear un bot\u00f3n que, cuando es presionado por parte un usuario, inicia una petici\u00f3n de la API"
}
],
"id": "CVE-2017-18890",
"lastModified": "2024-11-21T03:21:11.417",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T19:15:10.700",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-03-10 17:45
Modified
2024-11-21 06:39
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
A stack overflow bug in the document extractor in Mattermost Server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted Apple Pages document.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "86C5517B-79C8-4714-8F4A-49D5E46DA57C",
"versionEndExcluding": "5.37.8",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CA6540C7-2107-4D58-B4AF-B0147A05F11D",
"versionEndExcluding": "6.1.3",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2ACEA26F-E5FD-4556-8201-FD21611B3B3F",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "6.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "71AED082-2B61-48CD-BDE0-A1476B36D7E5",
"versionEndExcluding": "6.3.3",
"versionStartIncluding": "6.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stack overflow bug in the document extractor in Mattermost Server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted Apple Pages document."
},
{
"lang": "es",
"value": "Un bug de desbordamiento de pila en el extractor de documentos de Mattermost Server en versiones hasta 6.3.2 incluy\u00e9ndola, permite a un atacante bloquear el servidor por medio del env\u00edo de un documento de Apple Pages dise\u00f1ado de forma maliciosa"
}
],
"id": "CVE-2022-0904",
"lastModified": "2024-11-21T06:39:38.330",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-10T17:45:00.833",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-08-01 15:15
Modified
2024-09-04 17:03
Severity ?
4.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow the modification of local channels by a remote, when shared channels are enabled, which allows a malicious remote to make an arbitrary local channel read-only.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 9.9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CBEB8F40-C2DE-4E6F-8772-1BBCA44795A8",
"versionEndExcluding": "9.5.7",
"versionStartIncluding": "9.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B5C9F963-57DF-41E2-AA46-242317D93786",
"versionEndExcluding": "9.7.6",
"versionStartIncluding": "9.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6B4559B7-83E7-41B2-96A8-51F467CCD882",
"versionEndExcluding": "9.8.2",
"versionStartIncluding": "9.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:9.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4BE71910-C7C4-4F33-BFD4-40D2EAA56DB1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 9.9.x \u003c= 9.9.0, 9.5.x \u003c= 9.5.6, 9.7.x \u003c= 9.7.5 and 9.8.x \u003c= 9.8.1 fail to disallow\u00a0the modification of local channels by a remote, when shared channels are enabled, which allows\u00a0a malicious remote to make an arbitrary local channel read-only."
},
{
"lang": "es",
"value": " Las versiones de Mattermost 9.9.x \u0026lt;= 9.9.0, 9.5.x \u0026lt;= 9.5.6, 9.7.x \u0026lt;= 9.7.5 y 9.8.x \u0026lt;= 9.8.1 no permiten la modificaci\u00f3n de canales locales mediante un control remoto, cuando Los canales compartidos est\u00e1n habilitados, lo que permite que un control remoto malicioso convierta un canal local arbitrario en solo lectura."
}
],
"id": "CVE-2024-41162",
"lastModified": "2024-09-04T17:03:53.010",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-08-01T15:15:13.627",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-13 18:15
Modified
2024-11-21 06:40
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
One of the API in Mattermost version 6.4.1 and earlier fails to properly protect the permissions, which allows the authenticated members with restricted custom admin role to bypass the restrictions and view the server logs and server config.json file contents.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B214D1C6-90FE-4A2C-B608-4089EB8ADDBF",
"versionEndExcluding": "5.37.9",
"versionStartIncluding": "5.37.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "74959FFE-64FA-4CCA-9EF0-44462880CE20",
"versionEndExcluding": "6.2.5",
"versionStartIncluding": "6.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "77204CB6-761A-4CDE-BDDB-9C1F7896969F",
"versionEndExcluding": "6.3.5",
"versionStartIncluding": "6.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ABDFB3EE-F03D-4F9B-BF7A-6B3B3B1F7345",
"versionEndExcluding": "6.4.2",
"versionStartIncluding": "6.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "One of the API in Mattermost version 6.4.1 and earlier fails to properly protect the permissions, which allows the authenticated members with restricted custom admin role to bypass the restrictions and view the server logs and server config.json file contents."
},
{
"lang": "es",
"value": "Una de las API de Mattermost versiones 6.4.1 y anteriores, no protegen apropiadamente los permisos, lo que permite a miembros autenticados con un rol de administrador personalizado restringido omitir las restricciones y visualizar los registros del servidor y el contenido del archivo config.json del servidor"
}
],
"id": "CVE-2022-1332",
"lastModified": "2024-11-21T06:40:30.443",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-13T18:15:09.780",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 17:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS attacks could occur against an OAuth 2.0 allow/deny page.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 | |
| mattermost | mattermost_server | 4.3.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "68AC27E1-9523-42D5-9A59-B91A3F4EC518",
"versionEndExcluding": "4.1.2",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7FE7E6F1-5B34-4D19-8B93-ED2E9EFFCAF3",
"versionEndExcluding": "4.2.1",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FB71A82C-2F6A-49EC-A541-1600304F4D37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "91E5A299-021B-451B-95E2-4DC2DD6FF50B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "471DFF36-36F3-4904-B5E9-091C259181A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.3.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "A8772DEC-C002-443E-9609-1CC2A6FD8037",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS attacks could occur against an OAuth 2.0 allow/deny page."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.3.0, 4.2.1 y 4.1.2. Los ataques de tipo XSS pueden ocurrir contra una p\u00e1gina allow/deny de OAuth versi\u00f3n 2.0"
}
],
"id": "CVE-2017-18877",
"lastModified": "2024-11-21T03:21:09.567",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T17:15:12.257",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-07-17 16:15
Modified
2024-11-21 08:17
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
Mattermost fails to verify channel membership when linking a board to a channel allowing a low-privileged authenticated user to link a Board to a private channel they don't have access to,
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3F71A811-27D2-4953-9C3A-4AC6B27AF1A8",
"versionEndExcluding": "7.8.7",
"versionStartIncluding": "7.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B0D66512-A095-4557-A9AD-B02E306FC1C9",
"versionEndExcluding": "7.9.5",
"versionStartIncluding": "7.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "401CC11A-1059-44A2-87BA-601024BD178E",
"versionEndExcluding": "7.10.3",
"versionStartIncluding": "7.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost fails to verify channel membership when linking a board to a channel allowing a low-privileged authenticated user to link a Board to a private channel they don\u0027t have access to,\u00a0\n\n"
}
],
"id": "CVE-2023-3582",
"lastModified": "2024-11-21T08:17:36.067",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-17T16:15:10.487",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-03-31 12:15
Modified
2024-11-21 07:39
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 7.7.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "68480D55-9BBC-46E3-8DE9-A2F13F2F8853",
"versionEndExcluding": "7.1.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:7.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BB8E1831-9267-467F-A646-84052F0A3FAE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients.\n\n\n"
}
],
"id": "CVE-2023-1775",
"lastModified": "2024-11-21T07:39:53.017",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-03-31T12:15:06.700",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-668"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-07-17 16:15
Modified
2024-11-21 08:17
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
3.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
3.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Summary
Mattermost fails to properly validate a gif image file, allowing an attacker to consume a significant amount of server resources, making the server unresponsive for an extended period of time by linking to specially crafted image file.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5CE365D7-09E6-424C-A8FE-B7BDCC76B749",
"versionEndExcluding": "7.8.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B0D66512-A095-4557-A9AD-B02E306FC1C9",
"versionEndExcluding": "7.9.5",
"versionStartIncluding": "7.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "401CC11A-1059-44A2-87BA-601024BD178E",
"versionEndExcluding": "7.10.3",
"versionStartIncluding": "7.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost fails to properly validate a gif image file, allowing an attacker to\u00a0consume a significant amount of server resources, making the server unresponsive for an extended period of time by\u00a0linking to specially crafted image file.\n\n"
}
],
"id": "CVE-2023-3614",
"lastModified": "2024-11-21T08:17:40.407",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-17T16:15:11.173",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 17:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.8.0. It mishandles brute-force attacks against MFA.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "64F6DEC5-61C3-4F30-A82F-604FF6213C27",
"versionEndExcluding": "5.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.8.0. It mishandles brute-force attacks against MFA."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.8.0. Maneja inapropiadamente los ataques de fuerza bruta contra MFA"
}
],
"id": "CVE-2019-20881",
"lastModified": "2024-11-21T04:39:36.380",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T17:15:13.537",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-307"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-04-05 09:15
Modified
2024-12-13 16:18
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x before 9.4.4, and 9.5.x before 9.5.2 fail to authenticate the source of certain types of post actions, allowing an authenticated attacker to create posts as other users via a crafted post action.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "66FEDCF9-277A-4D60-8A28-948068A10F91",
"versionEndExcluding": "8.1.11",
"versionStartIncluding": "8.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B4A105B6-CFF8-4FF0-A70D-F3C390AE0FAD",
"versionEndExcluding": "9.3.3",
"versionStartIncluding": "9.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "600DCF59-6535-484C-9DDC-E33834B90B25",
"versionEndExcluding": "9.4.4",
"versionStartIncluding": "9.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7A768D77-9FF0-4C1B-81B0-AD2187832E62",
"versionEndExcluding": "9.5.2",
"versionStartIncluding": "9.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x before 9.4.4, and 9.5.x before 9.5.2 fail to authenticate the source of certain types of post actions, allowing an authenticated attacker to create posts as other users via a crafted post action.\n\n"
},
{
"lang": "es",
"value": "Las versiones de Mattermost 8.1.x anteriores a 8.1.11, 9.3.x anteriores a 9.3.3, 9.4.x anteriores a 9.4.4 y 9.5.x anteriores a 9.5.2 no logran autenticar la fuente de ciertos tipos de acciones de publicaci\u00f3n, lo que permite una atacante autenticado para crear publicaciones como otros usuarios a trav\u00e9s de una acci\u00f3n de publicaci\u00f3n manipulada."
}
],
"id": "CVE-2024-2447",
"lastModified": "2024-12-13T16:18:47.833",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-04-05T09:15:09.860",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-346"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-12-17 17:15
Modified
2024-11-21 06:15
Severity ?
3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Summary
Mattermost 6.0 and earlier fails to sufficiently validate the email address during registration, which allows attackers to trick users into signing up using attacker-controlled email addresses via crafted invitation token.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://hackerone.com/reports/1357013 | Permissions Required | |
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hackerone.com/reports/1357013 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A44CD6CB-BDAD-44EE-87D7-33057AF8F055",
"versionEndIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost 6.0 and earlier fails to sufficiently validate the email address during registration, which allows attackers to trick users into signing up using attacker-controlled email addresses via crafted invitation token."
},
{
"lang": "es",
"value": "Mattermost versiones 6.0 y anteriores, no comprueban suficientemente la direcci\u00f3n de correo electr\u00f3nico durante el registro, lo que permite a atacantes enga\u00f1ar a usuarios para que se registren usando direcciones de correo electr\u00f3nico controladas por el atacante por medio de un token de invitaci\u00f3n dise\u00f1ado"
}
],
"id": "CVE-2021-37862",
"lastModified": "2024-11-21T06:15:59.733",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 2.5,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-12-17T17:15:12.920",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Permissions Required"
],
"url": "https://hackerone.com/reports/1357013"
},
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://hackerone.com/reports/1357013"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-754"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-754"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 20:15
Modified
2024-11-21 02:45
Severity ?
Summary
An issue was discovered in Mattermost Server before 3.0.0. It potentially allows attackers to obtain sensitive information (credential fields within config.json) via the System Console UI.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "146D9026-7214-4461-8584-AF9690AC3B2C",
"versionEndExcluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.0.0. It potentially allows attackers to obtain sensitive information (credential fields within config.json) via the System Console UI."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 3.0.0. Permite potencialmente a atacantes obtener informaci\u00f3n confidencial (campos de credenciales dentro de config.json) por medio de la Interfaz de Usuario de la consola del sistema"
}
],
"id": "CVE-2016-11078",
"lastModified": "2024-11-21T02:45:26.947",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T20:15:11.680",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-12-12 11:15
Modified
2024-11-21 08:44
Severity ?
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Mattermost fails to perform correct authorization checks when creating a playbook action, allowing users without access to the playbook to create playbook actions. If the playbook action created is to post a message in a channel based on specific keywords in a post, some playbook information, like the name, can be leaked.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6FA74D02-6508-49A3-960F-22B84B6E5B51",
"versionEndIncluding": "8.1.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D00348C4-CEE7-474E-BBDC-4A66D6BBA4C8",
"versionEndIncluding": "9.2.1",
"versionStartIncluding": "9.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost fails to perform correct authorization checks when creating a playbook action, allowing users without access to the playbook to create playbook actions. If the playbook action created is to post a message in a channel based on specific keywords in a post, some playbook information, like the name, can be leaked.\u00a0\n\n"
},
{
"lang": "es",
"value": "Mattermost no realiza comprobaciones de autorizaci\u00f3n correctas al crear una acci\u00f3n del playbook, lo que permite a los usuarios sin acceso al playbook crear acciones del playbook. Si la acci\u00f3n del playbook creada es publicar un mensaje en un canal basado en palabras clave espec\u00edficas en una publicaci\u00f3n, se puede filtrar cierta informaci\u00f3n del playbook, como el nombre."
}
],
"id": "CVE-2023-6727",
"lastModified": "2024-11-21T08:44:25.980",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-12T11:15:07.140",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-04-05 09:15
Modified
2024-12-12 21:38
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 don't limit the number of user preferences which allows an attacker to send a large number of user preferences potentially causing denial of service.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "66FEDCF9-277A-4D60-8A28-948068A10F91",
"versionEndExcluding": "8.1.11",
"versionStartIncluding": "8.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B4A105B6-CFF8-4FF0-A70D-F3C390AE0FAD",
"versionEndExcluding": "9.3.3",
"versionStartIncluding": "9.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "600DCF59-6535-484C-9DDC-E33834B90B25",
"versionEndExcluding": "9.4.4",
"versionStartIncluding": "9.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7A768D77-9FF0-4C1B-81B0-AD2187832E62",
"versionEndExcluding": "9.5.2",
"versionStartIncluding": "9.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 don\u0027t limit the number of user preferences which allows an attacker to send a large number of user preferences potentially causing denial of service.\n\n"
},
{
"lang": "es",
"value": "Las versiones de Mattermost Server 9.5.x anteriores a 9.5.2, 9.4.x anteriores a 9.4.4, 9.3.x anteriores a 9.3.3, 8.1.x anteriores a 8.1.11 no limitan el n\u00famero de preferencias de usuario que permiten a un atacante enviar un gran n\u00famero de preferencias del usuario que pueden causar denegaci\u00f3n de servicio."
}
],
"id": "CVE-2024-28949",
"lastModified": "2024-12-12T21:38:08.237",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-04-05T09:15:09.497",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 14:15
Modified
2024-11-21 05:03
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.21.0. mmctl allows directory traversal via HTTP, aka MMSA-2020-0014.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6C579580-F670-4324-A756-D536B7DE1AA5",
"versionEndExcluding": "5.21.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.21.0. mmctl allows directory traversal via HTTP, aka MMSA-2020-0014."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.21.0. En mmctl permite un salto de directorio por medio de HTTP, tambi\u00e9n se conoce como MMSA-2020-0014"
}
],
"id": "CVE-2020-14452",
"lastModified": "2024-11-21T05:03:18.793",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T14:15:11.510",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 15:15
Modified
2024-11-21 04:39
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.16.1, 5.15.2, 5.14.5, and 5.9.6. It allows attackers to obtain sensitive information (local files) during legacy attachment migration.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ABF90131-984B-447B-A97E-BF4F9C78113B",
"versionEndExcluding": "5.9.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A2B5CADD-20CB-4AA4-9B48-DA107BA6477E",
"versionEndExcluding": "5.14.5",
"versionStartIncluding": "5.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "792B3214-36EC-4E61-A7A6-F72C26F14517",
"versionEndExcluding": "5.15.2",
"versionStartIncluding": "5.15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "361FEE25-68DF-41AE-9F5B-706675137C2F",
"versionEndExcluding": "5.16.1",
"versionStartIncluding": "5.16.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.16.1, 5.15.2, 5.14.5, and 5.9.6. It allows attackers to obtain sensitive information (local files) during legacy attachment migration."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.16.1, 5.15.2, 5.14.5 y 5.9.6. Permite a atacantes obtener informaci\u00f3n confidencial (archivos locales) durante la migraci\u00f3n de archivos adjuntos heredados"
}
],
"id": "CVE-2019-20855",
"lastModified": "2024-11-21T04:39:32.467",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T15:15:10.430",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 20:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 3.6.0 and 3.5.2. XSS can occur via a link on an error page.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "792926E7-A107-40E9-9CB9-5AB8BBC130E8",
"versionEndExcluding": "3.5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.6.0 and 3.5.2. XSS can occur via a link on an error page."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 3.6.0 y 3.5.2. Un ataque de tipo XSS puede presentarse por medio de un enlace en una p\u00e1gina de error"
}
],
"id": "CVE-2017-18921",
"lastModified": "2024-11-21T03:21:15.930",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T20:15:12.773",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 17:15
Modified
2024-11-21 04:03
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.2.2, 5.1.2, and 4.10.4. It allows remote attackers to cause a denial of service (memory consumption) via crafted image dimensions.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CD9696A4-F961-4CAD-9CFA-D72223A0CB05",
"versionEndExcluding": "4.10.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2567431A-FED9-4BCA-934F-60EF6BF953A0",
"versionEndExcluding": "5.1.2",
"versionStartIncluding": "5.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CCE952BF-8E9F-4642-85E0-D8D175028E71",
"versionEndExcluding": "5.2.2",
"versionStartIncluding": "5.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.2.2, 5.1.2, and 4.10.4. It allows remote attackers to cause a denial of service (memory consumption) via crafted image dimensions."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.2.2, 5.1.2 y 4.10.4. Permite a atacantes remotos causar una denegaci\u00f3n de servicio (consumo de la memoria) por medio de dimensiones de imagen dise\u00f1adas"
}
],
"id": "CVE-2018-21250",
"lastModified": "2024-11-21T04:03:17.380",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T17:15:12.427",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 20:15
Modified
2024-11-21 02:45
Severity ?
Summary
An issue was discovered in Mattermost Server before 3.0.0. It does not ensure that a cookie is used over SSL.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "146D9026-7214-4461-8584-AF9690AC3B2C",
"versionEndExcluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.0.0. It does not ensure that a cookie is used over SSL."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 3.0.0. No garantiza que una cookie sea usada sobre SSL"
}
],
"id": "CVE-2016-11076",
"lastModified": "2024-11-21T02:45:26.657",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T20:15:11.570",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-295"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 14:15
Modified
2024-11-21 05:03
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.23.0. Automatic direct message replies allow attackers to cause a denial of service (infinite loop), aka MMSA-2020-0020.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AD8F277A-AA90-42EA-BD55-B747B17CB4CB",
"versionEndExcluding": "5.23.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.23.0. Automatic direct message replies allow attackers to cause a denial of service (infinite loop), aka MMSA-2020-0020."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.23.0. Las respuestas autom\u00e1ticas de mensajes directos permiten a atacantes causar una denegaci\u00f3n de servicio (bucle infinito), tambi\u00e9n se conoce como MMSA-2020-0020"
}
],
"id": "CVE-2020-14448",
"lastModified": "2024-11-21T05:03:18.200",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T14:15:11.260",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-835"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-15 10:15
Modified
2024-12-13 16:39
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Summary
Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to limit the number of @-mentions processed per message, allowing an authenticated attacker to crash the client applications of other users via large, crafted messages.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0ADAC025-32F2-4971-81F3-4D2939890060",
"versionEndExcluding": "8.1.10",
"versionStartIncluding": "8.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "71A20DFB-85FA-480C-956A-24B50AB1862D",
"versionEndExcluding": "9.2.6",
"versionStartIncluding": "9.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AA0D2B39-6A65-4B91-925D-20087EF4CCB9",
"versionEndExcluding": "9.3.2",
"versionStartIncluding": "9.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "74D75B50-ED53-47E4-A43A-1D3D8CFE4F8E",
"versionEndExcluding": "9.4.3",
"versionStartIncluding": "9.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to limit the number of @-mentions processed per message, allowing an authenticated attacker to crash the client applications of other users via large, crafted messages.\n\n"
},
{
"lang": "es",
"value": "Las versiones de Mattermost 8.1.x anteriores a 8.1.10, 9.2.x anteriores a 9.2.6, 9.3.x anteriores a 9.3.2 y 9.4.x anteriores a 9.4.3 no limitan el n\u00famero de @menciones procesadas por mensaje, lo que permite un atacante autenticado para bloquear las aplicaciones cliente de otros usuarios a trav\u00e9s de mensajes grandes y elaborados"
}
],
"id": "CVE-2024-2446",
"lastModified": "2024-12-13T16:39:51.233",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-15T10:15:08.230",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 20:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. XSS could occur via a channel header.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B9810018-925D-4842-A38A-00743CDBFCC0",
"versionEndExcluding": "3.9.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "592EBE66-F1CC-46C6-BB06-D204C5C20544",
"versionEndExcluding": "3.10.2",
"versionStartIncluding": "3.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. XSS could occur via a channel header."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.0.0, 3.10.2 y 3.9.2. Un ataque de tipo XSS podr\u00eda presentarse por medio de un encabezado de canal"
}
],
"id": "CVE-2017-18907",
"lastModified": "2024-11-21T03:21:13.923",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T20:15:12.197",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-13 18:15
Modified
2024-11-21 06:40
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
The image proxy component in Mattermost version 6.4.1 and earlier allocates memory for multiple copies of a proxied image, which allows an authenticated attacker to crash the server via links to very large image files.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B214D1C6-90FE-4A2C-B608-4089EB8ADDBF",
"versionEndExcluding": "5.37.9",
"versionStartIncluding": "5.37.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "74959FFE-64FA-4CCA-9EF0-44462880CE20",
"versionEndExcluding": "6.2.5",
"versionStartIncluding": "6.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "77204CB6-761A-4CDE-BDDB-9C1F7896969F",
"versionEndExcluding": "6.3.5",
"versionStartIncluding": "6.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ABDFB3EE-F03D-4F9B-BF7A-6B3B3B1F7345",
"versionEndExcluding": "6.4.2",
"versionStartIncluding": "6.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The image proxy component in Mattermost version 6.4.1 and earlier allocates memory for multiple copies of a proxied image, which allows an authenticated attacker to crash the server via links to very large image files."
},
{
"lang": "es",
"value": "El componente de proxy de im\u00e1genes en Mattermost versiones 6.4.1 y anteriores, asigna memoria para m\u00faltiples copias de una imagen proxy, lo que permite a un atacante autenticado colapsar el servidor por medio de enlaces a archivos de imagen muy grandes"
}
],
"id": "CVE-2022-1337",
"lastModified": "2024-11-21T06:40:31.097",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-13T18:15:09.893",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-08-22 16:15
Modified
2024-10-16 20:05
Severity ?
6.0 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Summary
Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to properly enforce permissions which allows a user with systems manager role with read-only access to teams to perform write operations on teams.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 9.10.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "32EE0958-90BA-4026-9C64-1823B86F341D",
"versionEndExcluding": "9.5.8",
"versionStartIncluding": "9.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A37536AB-52C7-4670-AA72-86CD7819CD22",
"versionEndExcluding": "9.8.3",
"versionStartIncluding": "9.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4C9BCD18-4646-4440-A826-C5B9C79E9BFB",
"versionEndExcluding": "9.9.2",
"versionStartIncluding": "9.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:9.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B43DB6F9-1C15-45DB-A5E7-E46F4162436B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 9.9.x \u003c= 9.9.1, 9.5.x \u003c= 9.5.7, 9.10.x \u003c= 9.10.0, 9.8.x \u003c= 9.8.2 fail to properly enforce permissions which allows a user with systems manager role with read-only access to teams to perform write operations on teams."
},
{
"lang": "es",
"value": "Las versiones de Mattermost 9.9.x \u0026lt;= 9.9.1, 9.5.x \u0026lt;= 9.5.7, 9.10.x \u0026lt;= 9.10.0, 9.8.x \u0026lt;= 9.8.2 no aplican correctamente los permisos que permiten a un usuario con funci\u00f3n de administrador de sistemas con acceso de solo lectura a los equipos para realizar operaciones de escritura en los equipos."
}
],
"id": "CVE-2024-42497",
"lastModified": "2024-10-16T20:05:09.183",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 4.7,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-08-22T16:15:09.330",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 17:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, and 4.3.4. It mishandled webhook access control in the EnableOnlyAdminIntegrations case.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 4.5.0 | |
| mattermost | mattermost_server | 4.5.0 | |
| mattermost | mattermost_server | 4.5.0 | |
| mattermost | mattermost_server | 4.5.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6CB14F13-D2DB-4395-A0CA-FF719A916C83",
"versionEndExcluding": "4.3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E6D90B0D-7882-4818-B2BA-D2B1A92C6C58",
"versionEndExcluding": "4.4.5",
"versionStartIncluding": "4.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.5.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "251BF2C1-3E96-46BF-9AA4-F30A19AF68C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.5.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "56BAD3A2-A337-4A00-B546-0A106A593052",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.5.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "D7394620-98B0-4859-B279-CF77E02D1F1C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:4.5.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "F2D92720-E499-4ED0-B323-49F5840527E3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, and 4.3.4. It mishandled webhook access control in the EnableOnlyAdminIntegrations case."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.5.0, 4.4.5 y 4.3.4. Manej\u00f3 inapropiadamente el control de acceso de webhook en el caso de la funci\u00f3n EnableOnlyAdminIntegrations"
}
],
"id": "CVE-2017-18870",
"lastModified": "2024-11-21T03:21:08.477",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T17:15:11.787",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-10-09 11:15
Modified
2024-11-21 08:41
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Mattermost fails to enforce a limit for the size of the cache entry for OpenGraph data allowing an attacker to send a specially crafted request to the /api/v4/opengraph filling the cache and turning the server unavailable.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "714E3E9F-A35A-456F-B198-C1CBD09169C6",
"versionEndExcluding": "7.8.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "135D194F-2285-4EB4-9963-5BCB97F6BC6B",
"versionEndExcluding": "8.0.3",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AC20942B-35AD-4EF5-8878-6E112865E3D5",
"versionEndExcluding": "8.1.2",
"versionStartIncluding": "8.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost fails to\u00a0enforce a limit for the size of the cache entry for OpenGraph data allowing an attacker to send a specially crafted request to the /api/v4/opengraph filling the cache and turning the server unavailable.\n\n"
},
{
"lang": "es",
"value": "Mattermost no aplica un l\u00edmite para el tama\u00f1o de la entrada de cach\u00e9 para los datos de OpenGraph, lo que permite a un atacante enviar una solicitud especialmente manipulada al /api/v4/opengraph, llenando el cach\u00e9 y haciendo que el servidor no est\u00e9 disponible."
}
],
"id": "CVE-2023-5330",
"lastModified": "2024-11-21T08:41:32.737",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-09T11:15:11.197",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-29 11:15
Modified
2024-12-13 17:08
Severity ?
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Mattermost version 8.1.x before 8.1.9 fails to sanitize data associated with permalinks when a plugin updates an ephemeral post, allowing an authenticated attacker who can control the ephemeral post update to access individual posts' contents in channels they are not a member of.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7D16EAB8-89FC-4745-8C40-CC83EE7A42EE",
"versionEndExcluding": "8.1.9",
"versionStartIncluding": "8.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost version 8.1.x before 8.1.9 fails to sanitize data associated with permalinks when a plugin updates an ephemeral post, allowing an authenticated attacker who can control the ephemeral post update to access individual posts\u0027 contents in channels they are not a member of.\n\n"
},
{
"lang": "es",
"value": "La versi\u00f3n 8.1.x anterior a la 8.1.9 de Mattermost no sanitiza los datos asociados con los enlaces permanentes cuando un complemento actualiza una publicaci\u00f3n ef\u00edmera, lo que permite a un atacante autenticado que puede controlar la actualizaci\u00f3n de la publicaci\u00f3n ef\u00edmera acceder al contenido de las publicaciones individuales en canales de los que no es miembro."
}
],
"id": "CVE-2024-1952",
"lastModified": "2024-12-13T17:08:36.583",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-29T11:15:08.213",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 14:15
Modified
2024-11-21 05:03
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.19.0, 5.18.1, 5.17.3, 5.16.5, and 5.9.8. Creation of a trusted OAuth application does not always require admin privileges, aka MMSA-2020-0001.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 5.19.0 | |
| mattermost | mattermost_server | 5.19.0 | |
| mattermost | mattermost_server | 5.19.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F3760ABC-8C1A-4E1D-A63F-1CAE5E050CB0",
"versionEndExcluding": "5.9.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "161F5DAA-ACC6-4B53-BDCE-B6A5259E7F13",
"versionEndExcluding": "5.16.5",
"versionStartIncluding": "5.16.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "96E328C1-07C2-4732-814E-5DA2E668C59C",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "5.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "501739E1-ACFE-407B-BB50-36319FF262D5",
"versionEndExcluding": "5.18.1",
"versionStartIncluding": "5.18.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.19.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B696D08E-C9CA-45EA-B53E-D0DA6EEC310C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.19.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "87C15105-7326-42D1-8B3A-C7464CA2580C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.19.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "9B1CEF0A-1946-4974-A8A0-35512C1B30D8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.19.0, 5.18.1, 5.17.3, 5.16.5, and 5.9.8. Creation of a trusted OAuth application does not always require admin privileges, aka MMSA-2020-0001."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.19.0, 5.18.1, 5.17.3, 5.16.5 y 5.9.8. Una creaci\u00f3n de una aplicaci\u00f3n OAuth confiable no siempre requiere privilegios de administrador, tambi\u00e9n se conoce como MMSA-2020-0001"
}
],
"id": "CVE-2020-14460",
"lastModified": "2024-11-21T05:03:20.033",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T14:15:12.010",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 20:15
Modified
2024-11-21 02:45
Severity ?
Summary
An issue was discovered in Mattermost Server before 3.2.0. It allowed crafted posts that could cause a web browser to hang.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6DD41DB0-EC52-4C5C-9B80-05DD3E21B184",
"versionEndExcluding": "3.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.2.0. It allowed crafted posts that could cause a web browser to hang."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 3.2.0. Permiti\u00f3 publicaciones dise\u00f1adas que podr\u00edan hacer que un navegador web se bloquee"
}
],
"id": "CVE-2016-11067",
"lastModified": "2024-11-21T02:45:25.410",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T20:15:10.743",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-07-14 18:15
Modified
2024-11-21 07:00
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Unrestricted information disclosure of all users in Mattermost version 6.7.0 and earlier allows team members to access some sensitive information by directly accessing the APIs.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 6.6.0 | |
| mattermost | mattermost_server | 6.6.1 | |
| mattermost | mattermost_server | 6.7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6D311744-6A53-4DD9-BE49-46E72BE1FB32",
"versionEndExcluding": "6.3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "06ABE3B1-53EA-42AB-B986-E5A660677075",
"versionEndExcluding": "6.5.2",
"versionStartIncluding": "6.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:6.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5144C178-AA3E-43CC-80E2-77BC8689FE7A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:6.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "667E1ED7-7A47-4021-A158-23425C9F6E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:6.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "13763CA7-57C3-4EBE-96D6-C244B5FE2704",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unrestricted information disclosure of all users in Mattermost version 6.7.0 and earlier allows team members to access some sensitive information by directly accessing the APIs."
},
{
"lang": "es",
"value": "Una divulgaci\u00f3n de informaci\u00f3n sin restricciones de todos los usuarios en Mattermost versiones 6.7.0 y anteriores, permite a miembros del equipo acceder a determinada informaci\u00f3n confidencial mediante el acceso directo a las API"
}
],
"id": "CVE-2022-2401",
"lastModified": "2024-11-21T07:00:55.007",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-07-14T18:15:08.313",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 17:15
Modified
2024-11-21 04:03
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.1, 5.0.2, and 4.10.2. An attacker could use the invite_people slash command to invite a non-permitted user.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | 5.1.0 | |
| mattermost | mattermost_server | 5.1.0 | |
| mattermost | mattermost_server | 5.1.0 | |
| mattermost | mattermost_server | 5.1.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "24ECA7B3-C992-428C-8A24-09C493825757",
"versionEndExcluding": "4.10.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E278EFAE-A65B-4F4D-A0B0-85AB5F7F20D9",
"versionEndExcluding": "5.0.2",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CE9E6973-2B19-4159-B31C-78DDCE4A9179",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "0C0A6193-612E-4C80-9B0F-A4CDF4C60ABC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "B3E5F5B9-1BE6-4BC5-9FCE-595AB536D335",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:5.1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "7B75C34D-82F2-41C1-B2B9-52346FD8CB6B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.1, 5.0.2, and 4.10.2. An attacker could use the invite_people slash command to invite a non-permitted user."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.1, 5.0.2 y 4.10.2. Un atacante podr\u00eda usar el comando barra diagonal invite_people para invitar a un usuario no permitido"
}
],
"id": "CVE-2018-21253",
"lastModified": "2024-11-21T04:03:17.790",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T17:15:12.537",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 20:15
Modified
2024-11-21 03:21
Severity ?
Summary
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. Weak hashing was used for e-mail invitations, OAuth, and e-mail verification tokens.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2965755B-6C26-43BB-9EFC-9E9C2DD32C8B",
"versionEndExcluding": "3.6.7",
"versionStartIncluding": "3.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A164D156-BF18-421E-B54A-983E24E0F4A0",
"versionEndExcluding": "3.7.5",
"versionStartIncluding": "3.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "86BDAD96-71AA-4D79-B6E6-142D00B2C799",
"versionEndExcluding": "3.8.2",
"versionStartIncluding": "3.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. Weak hashing was used for e-mail invitations, OAuth, and e-mail verification tokens."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 3.8.2, 3.7.5 y 3.6.7. Se us\u00f3 un proceso de hash d\u00e9bil para invitaciones de correo electr\u00f3nico, OAuth y tokens de verificaci\u00f3n de correo electr\u00f3nico"
}
],
"id": "CVE-2017-18917",
"lastModified": "2024-11-21T03:21:15.360",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T20:15:12.523",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-916"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 17:15
Modified
2024-11-21 04:03
Severity ?
Summary
An issue was discovered in Mattermost Server before 4.8.1, 4.7.4, and 4.6.3. WebSocket events were accidentally sent during certain user-management operations, violating user privacy.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * | |
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E6AB860A-094E-44FF-B3C5-81CECCE1EDA2",
"versionEndExcluding": "4.6.3",
"versionStartIncluding": "4.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1B71D35D-001D-4243-8ED4-61D7ADF5B36B",
"versionEndExcluding": "4.7.4",
"versionStartIncluding": "4.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "12A10C0B-FEE4-4B1B-8B5E-DA0846EC1FCC",
"versionEndExcluding": "4.8.1",
"versionStartIncluding": "4.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.8.1, 4.7.4, and 4.6.3. WebSocket events were accidentally sent during certain user-management operations, violating user privacy."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 4.8.1, 4.7.4 y 4.6.3. Los eventos del WebSocket fueron enviados accidentalmente durante determinadas operaciones de administraci\u00f3n de usuarios, violando la privacidad del usuario"
}
],
"id": "CVE-2018-21260",
"lastModified": "2024-11-21T04:03:18.760",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T17:15:12.897",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-19 14:15
Modified
2024-11-21 05:03
Severity ?
Summary
An issue was discovered in Mattermost Server before 5.23.0. Large webhook requests allow attackers to cause a denial of service (infinite loop), aka MMSA-2020-0021.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mattermost.com/security-updates/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AD8F277A-AA90-42EA-BD55-B747B17CB4CB",
"versionEndExcluding": "5.23.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.23.0. Large webhook requests allow attackers to cause a denial of service (infinite loop), aka MMSA-2020-0021."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Mattermost Server versiones anteriores a 5.23.0. Peticiones de webhook largas permiten a atacantes causar una denegaci\u00f3n de servicio (bucle infinito), tambi\u00e9n se conoce como MMSA-2020-0021"
}
],
"id": "CVE-2020-14447",
"lastModified": "2024-11-21T05:03:18.050",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-19T14:15:11.183",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-835"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
cve-2017-18912
Vulnerability from cvelistv5
Published
2020-06-19 18:45
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. It allows an attacker to specify a full pathname of a log file.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.305Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. It allows an attacker to specify a full pathname of a log file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T18:45:54",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18912",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. It allows an attacker to specify a full pathname of a log file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18912",
"datePublished": "2020-06-19T18:45:54",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.305Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20867
Vulnerability from cvelistv5
Published
2020-06-19 15:18
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.11.0. An attacker can interfere with a channel's post loading via one crafted post.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.455Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.11.0. An attacker can interfere with a channel\u0027s post loading via one crafted post."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T15:18:25",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20867",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.11.0. An attacker can interfere with a channel\u0027s post loading via one crafted post."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20867",
"datePublished": "2020-06-19T15:18:25",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.455Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-1952
Vulnerability from cvelistv5
Published
2024-02-29 10:42
Modified
2024-08-01 18:56
Severity ?
EPSS score ?
Summary
Mattermost version 8.1.x before 8.1.9 fails to sanitize data associated with permalinks when a plugin updates an ephemeral post, allowing an authenticated attacker who can control the ephemeral post update to access individual posts' contents in channels they are not a member of.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 8.1.0 ≤ 8.1.8 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1952",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-05T18:05:32.069105Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:00:20.315Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:56:22.570Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.8",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.4"
},
{
"status": "unaffected",
"version": "8.1.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Juho Nurminen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost version 8.1.x before 8.1.9 fails to sanitize data associated with permalinks when a plugin updates an ephemeral post, allowing an authenticated attacker who can control the ephemeral post update to access individual posts\u0027 contents in channels they are not a member of.\u003c/p\u003e"
}
],
"value": "Mattermost version 8.1.x before 8.1.9 fails to sanitize data associated with permalinks when a plugin updates an ephemeral post, allowing an authenticated attacker who can control the ephemeral post update to access individual posts\u0027 contents in channels they are not a member of.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-29T10:42:15.362Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.4, 8.1.9 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.4, 8.1.9 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00265",
"defect": [
"https://mattermost.atlassian.net/browse/MM-53180"
],
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-1952",
"datePublished": "2024-02-29T10:42:15.362Z",
"dateReserved": "2024-02-27T19:21:09.017Z",
"dateUpdated": "2024-08-01T18:56:22.570Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18881
Vulnerability from cvelistv5
Published
2020-06-19 18:08
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via a goto_location response to a slash command.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.347Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via a goto_location response to a slash command."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T18:08:44",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18881",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via a goto_location response to a slash command."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18881",
"datePublished": "2020-06-19T18:08:44",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.347Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-6459
Vulnerability from cvelistv5
Published
2023-12-06 08:11
Modified
2024-12-16 16:02
Severity ?
EPSS score ?
Summary
Mattermost is grouping calls in the /metrics endpoint by id and reports that id in the response. Since this id is the channelID, the public /metrics endpoint is revealing channelIDs.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 7.8.13 Version: 0 ≤ 8.1.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:28:21.828Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6459",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-16T16:02:11.401424Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-16T16:02:20.087Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.13",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "8.1.5"
},
{
"status": "unaffected",
"version": "7.8.14"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "DoyenSec"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost is grouping calls in\u0026nbsp;the /metrics endpoint by id and reports that id in the response. Since this id is the channelID, the public /metrics endpoint is revealing channelIDs.\u003c/p\u003e"
}
],
"value": "Mattermost is grouping calls in\u00a0the /metrics endpoint by id and reports that id in the response. Since this id is the channelID, the public /metrics endpoint is revealing channelIDs.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-06T08:11:36.417Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 8.1.5, 7.8.14 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 8.1.5, 7.8.14 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00250",
"defect": [
"https://mattermost.atlassian.net/browse/MM-54444"
],
"discovery": "EXTERNAL"
},
"title": "Public endpoint /metrics of Calls plugin reveals channel IDs",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-6459",
"datePublished": "2023-12-06T08:11:36.417Z",
"dateReserved": "2023-12-01T10:14:04.973Z",
"dateUpdated": "2024-12-16T16:02:20.087Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-1421
Vulnerability from cvelistv5
Published
2023-03-15 22:51
Modified
2024-12-06 23:06
Severity ?
EPSS score ?
Summary
A reflected cross-site scripting vulnerability in the OAuth flow completion endpoints in Mattermost allows an attacker to send AJAX requests on behalf of the victim via sharing a crafted link with a malicious state parameter.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 5.32.0 ≤ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:49:11.322Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-1421",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T22:52:08.839339Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T23:06:14.595Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThan": "7.7",
"status": "affected",
"version": "5.32.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "zerodivisi0n"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A reflected cross-site scripting vulnerability in the OAuth flow completion endpoints in Mattermost allows an attacker to send AJAX requests on behalf of the victim via sharing a crafted link with a malicious state parameter."
}
],
"value": "A reflected cross-site scripting vulnerability in the OAuth flow completion endpoints in Mattermost allows an attacker to send AJAX requests on behalf of the victim via sharing a crafted link with a malicious state parameter."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-15T22:51:25.597Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost to version v7.7 or higher.\u003cbr\u003e"
}
],
"value": "Update Mattermost to version v7.7 or higher.\n"
}
],
"source": {
"advisory": "MMSA-2023-00131",
"defect": [
"https://mattermost.atlassian.net/browse/MM-42334"
],
"discovery": "EXTERNAL"
},
"title": "Reflected XSS in OAuth flow completion endpoints",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-1421",
"datePublished": "2023-03-15T22:51:25.597Z",
"dateReserved": "2023-03-15T22:45:54.197Z",
"dateUpdated": "2024-12-06T23:06:14.595Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20859
Vulnerability from cvelistv5
Published
2020-06-19 14:13
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.15.0. Login access control can be bypassed via crafted input.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.405Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.15.0. Login access control can be bypassed via crafted input."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T14:13:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20859",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.15.0. Login access control can be bypassed via crafted input."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20859",
"datePublished": "2020-06-19T14:13:02",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.405Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-24776
Vulnerability from cvelistv5
Published
2024-02-09 14:50
Modified
2024-08-01 23:28
Severity ?
EPSS score ?
Summary
Mattermost fails to check the required permissions in the POST /api/v4/channels/stats/member_count API resulting in channel member counts being leaked to a user without permissions.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 8.1.7 Version: 9.4.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-24776",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-12T16:56:53.647994Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:20:51.618Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:28:12.437Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.7",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "8.1.8"
},
{
"status": "affected",
"version": "9.4.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "vultza (vultza)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to check the required permissions in the\u0026nbsp;POST /api/v4/channels/stats/member_count API resulting in\u0026nbsp;channel member counts being leaked to a user without permissions.\u003c/p\u003e"
}
],
"value": "Mattermost fails to check the required permissions in the\u00a0POST /api/v4/channels/stats/member_count API resulting in\u00a0channel member counts being leaked to a user without permissions.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-09T14:50:45.443Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 8.1.8, 9.4.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 8.1.8, 9.4.0 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00268",
"defect": [
"https://mattermost.atlassian.net/browse/MM-55041"
],
"discovery": "EXTERNAL"
},
"title": " Incorrect Authorization leads to Channel Member Count Leak",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-24776",
"datePublished": "2024-02-09T14:50:45.443Z",
"dateReserved": "2024-01-30T10:23:06.717Z",
"dateUpdated": "2024-08-01T23:28:12.437Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-3584
Vulnerability from cvelistv5
Published
2023-07-17 15:23
Modified
2024-10-21 19:50
Severity ?
EPSS score ?
Summary
Mattermost fails to properly check the authorization of POST /api/v4/teams when passing a team override scheme ID in the request, allowing an authenticated attacker with knowledge of a Team Override Scheme ID to create a new team with said team override scheme.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 7.8.4 Version: 0 ≤ 7.10.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:01:55.933Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3584",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T19:50:30.477091Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T19:50:40.857Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.10.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.10.3 "
},
{
"status": "unaffected",
"version": "7.8.5"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "ramyadav (cenman)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to properly check the authorization of\u0026nbsp;POST /api/v4/teams when passing a team override scheme ID in the request,\u0026nbsp;allowing an authenticated attacker with knowledge of a Team Override Scheme ID to create a new team with said team override scheme.\u003c/p\u003e"
}
],
"value": "Mattermost fails to properly check the authorization of\u00a0POST /api/v4/teams when passing a team override scheme ID in the request,\u00a0allowing an authenticated attacker with knowledge of a Team Override Scheme ID to create a new team with said team override scheme.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-17T15:23:02.918Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions v7.8.5, v7.10.3\u0026nbsp;or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions v7.8.5, v7.10.3\u00a0or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00169",
"defect": [
"https://mattermost.atlassian.net/browse/MM-51361"
],
"discovery": "EXTERNAL"
},
"title": "Member can create team with team override scheme ",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-3584",
"datePublished": "2023-07-17T15:23:02.918Z",
"dateReserved": "2023-07-10T13:35:18.046Z",
"dateUpdated": "2024-10-21T19:50:40.857Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18880
Vulnerability from cvelistv5
Published
2020-06-19 18:42
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via the title_link field of a Slack attachment.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.319Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via the title_link field of a Slack attachment."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T18:42:54",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18880",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via the title_link field of a Slack attachment."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18880",
"datePublished": "2020-06-19T18:42:54",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.319Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20885
Vulnerability from cvelistv5
Published
2020-06-19 16:39
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.8.0. It does not always generate a robots.txt file.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.487Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.8.0. It does not always generate a robots.txt file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T16:39:33",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20885",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.8.0. It does not always generate a robots.txt file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20885",
"datePublished": "2020-06-19T16:39:33",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.487Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-11068
Vulnerability from cvelistv5
Published
2020-06-19 19:24
Modified
2024-08-06 03:47
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 3.2.0. Attackers could read LDAP fields via injection.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:47:34.550Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.2.0. Attackers could read LDAP fields via injection."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T19:24:49",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-11068",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 3.2.0. Attackers could read LDAP fields via injection."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-11068",
"datePublished": "2020-06-19T19:24:49",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-06T03:47:34.550Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18883
Vulnerability from cvelistv5
Published
2020-06-19 18:08
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2, when serving as an OAuth 2.0 Service Provider. There is low entropy for authorization data.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.337Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2, when serving as an OAuth 2.0 Service Provider. There is low entropy for authorization data."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T18:08:47",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18883",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2, when serving as an OAuth 2.0 Service Provider. There is low entropy for authorization data."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18883",
"datePublished": "2020-06-19T18:08:47",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.337Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2401
Vulnerability from cvelistv5
Published
2022-07-14 17:20
Modified
2024-12-06 23:08
Severity ?
EPSS score ?
Summary
Unrestricted information disclosure of all users in Mattermost version 6.7.0 and earlier allows team members to access some sensitive information by directly accessing the APIs.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 6.7.x 6.7.0 Version: 6.x < Version: 6.5.x < Version: 6.6.x < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:07.272Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-2401",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T22:52:47.302845Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T23:08:34.889Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "6.7.x 6.7.0"
},
{
"lessThanOrEqual": "6.3.8",
"status": "affected",
"version": "6.x",
"versionType": "custom"
},
{
"lessThanOrEqual": "6.5.1",
"status": "affected",
"version": "6.5.x",
"versionType": "custom"
},
{
"lessThanOrEqual": "6.6.1",
"status": "affected",
"version": "6.6.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to Elias Nahum for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"descriptions": [
{
"lang": "en",
"value": "Unrestricted information disclosure of all users in Mattermost version 6.7.0 and earlier allows team members to access some sensitive information by directly accessing the APIs."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Information Exposure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-14T17:20:49",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to version v7.0.0, 6.7.1, 6.6.2, 6.5.2, 6.3.9 or higher."
}
],
"source": {
"advisory": "MMSA-2022-00108",
"defect": [
"https://mattermost.atlassian.net/browse/MM-44568"
],
"discovery": "INTERNAL"
},
"title": "Team members could access sensitive information of other users via an API call",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsibledisclosure@mattermost.com",
"ID": "CVE-2022-2401",
"STATE": "PUBLIC",
"TITLE": "Team members could access sensitive information of other users via an API call"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mattermost",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "6.x",
"version_value": "6.3.8"
},
{
"version_affected": "\u003c=",
"version_name": "6.5.x",
"version_value": "6.5.1"
},
{
"version_affected": "\u003c=",
"version_name": "6.6.x",
"version_value": "6.6.1"
},
{
"version_affected": "=",
"version_name": "6.7.x",
"version_value": "6.7.0"
}
]
}
}
]
},
"vendor_name": "Mattermost"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thanks to Elias Nahum for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unrestricted information disclosure of all users in Mattermost version 6.7.0 and earlier allows team members to access some sensitive information by directly accessing the APIs."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 Information Exposure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "MISC",
"url": "https://mattermost.com/security-updates/"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update Mattermost to version v7.0.0, 6.7.1, 6.6.2, 6.5.2, 6.3.9 or higher."
}
],
"source": {
"advisory": "MMSA-2022-00108",
"defect": [
"https://mattermost.atlassian.net/browse/MM-44568"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2022-2401",
"datePublished": "2022-07-14T17:20:49",
"dateReserved": "2022-07-14T00:00:00",
"dateUpdated": "2024-12-06T23:08:34.889Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-1775
Vulnerability from cvelistv5
Published
2023-03-31 11:26
Modified
2024-12-06 23:05
Severity ?
EPSS score ?
Summary
When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 3.3.0 ≤ 7.7.1 Version: 3.3.0 ≤ 7.1.5 Version: 3.3.0 ≤ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:57:25.258Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-1775",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T22:52:00.165760Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T23:05:41.615Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.7.1",
"status": "affected",
"version": "3.3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.1.5",
"status": "affected",
"version": "3.3.0",
"versionType": "semver"
},
{
"lessThan": "7.8.0",
"status": "affected",
"version": "3.3.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.0"
},
{
"status": "unaffected",
"version": "7.7.2"
},
{
"status": "unaffected",
"version": "7.1.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Kyriakos Ziakoulis"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Harrison Healey"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eWhen running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients.\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-31T11:26:21.640Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost to version v7.8.0, v7.1.6, v7.7.2, or higher.\u003cbr\u003e"
}
],
"value": "Update Mattermost to version v7.8.0, v7.1.6, v7.7.2, or higher.\n"
}
],
"source": {
"advisory": "MMSA-2023-00138",
"defect": [
"https://mattermost.atlassian.net/browse/MM-49981"
],
"discovery": "INTERNAL"
},
"title": "Unsanitized events sent over Websocket to regular users in a High Availability environment",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-1775",
"datePublished": "2023-03-31T11:26:21.640Z",
"dateReserved": "2023-03-31T11:26:09.249Z",
"dateUpdated": "2024-12-06T23:05:41.615Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-28053
Vulnerability from cvelistv5
Published
2024-03-15 09:08
Modified
2024-08-12 13:40
Severity ?
EPSS score ?
Summary
Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit the size of the payload that can be read and parsed allowing an attacker to send a very large email payload and crash the server.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 8.1.0 ≤ 8.1.9 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:47.805Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28053",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-12T13:39:54.382091Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T13:40:25.079Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.9",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.5.0"
},
{
"status": "unaffected",
"version": "8.1.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": ". (themarkib0x0)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eResource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit\u0026nbsp;the size of the payload that can be read and parsed allowing an attacker to send a\u0026nbsp;very large email payload and crash the server.\u003c/p\u003e"
}
],
"value": "Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit\u00a0the size of the payload that can be read and parsed allowing an attacker to send a\u00a0very large email payload and crash the server.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-15T09:08:04.993Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.5.0, 8.1.10 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.5.0, 8.1.10 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00287",
"defect": [
"https://mattermost.atlassian.net/browse/MM-55968"
],
"discovery": "EXTERNAL"
},
"title": "Resource Exhaustion via the Invitation Feature",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-28053",
"datePublished": "2024-03-15T09:08:04.993Z",
"dateReserved": "2024-03-14T09:38:07.478Z",
"dateUpdated": "2024-08-12T13:40:25.079Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20872
Vulnerability from cvelistv5
Published
2020-06-19 15:23
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. SSRF can attack local services.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.430Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. SSRF can attack local services."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T15:23:27",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20872",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. SSRF can attack local services."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20872",
"datePublished": "2020-06-19T15:23:27",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.430Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18909
Vulnerability from cvelistv5
Published
2020-06-19 18:45
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 3.9.0 when SAML is used. Encryption and signature verification are not mandatory.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.396Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.9.0 when SAML is used. Encryption and signature verification are not mandatory."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T18:45:57",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18909",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 3.9.0 when SAML is used. Encryption and signature verification are not mandatory."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18909",
"datePublished": "2020-06-19T18:45:57",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.396Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-6458
Vulnerability from cvelistv5
Published
2023-12-06 08:10
Modified
2024-08-02 08:28
Severity ?
EPSS score ?
Summary
Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perform a client-side path traversal.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 9.1.1 Version: 0 ≤ 9.0.2 Version: 0 ≤ 8.1.4 Version: 0 ≤ 7.8.13 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:28:21.829Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.1.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.0.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.8.13",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.1.2"
},
{
"status": "unaffected",
"version": "9.0.3"
},
{
"status": "unaffected",
"version": "8.1.5"
},
{
"status": "unaffected",
"version": "7.8.14"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "DoyenSec"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost webapp fails to validate\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eroute parameters in\u003c/span\u003e/\u0026lt;TEAM_NAME\u0026gt;/channels/\u0026lt;CHANNEL_NAME\u0026gt;\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eallowing an attacker to perform a client-side path traversal.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Mattermost webapp fails to validate\u00a0route parameters in/\u003cTEAM_NAME\u003e/channels/\u003cCHANNEL_NAME\u003e\u00a0allowing an attacker to perform a client-side path traversal.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-06T08:10:18.481Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.1.2, 9.0.3, 8.1.5, 7.8.14 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.1.2, 9.0.3, 8.1.5, 7.8.14 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00248",
"defect": [
"https://mattermost.atlassian.net/browse/MM-53903"
],
"discovery": "EXTERNAL"
},
"title": "Client side path traversal due to lack of route parameters validation",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-6458",
"datePublished": "2023-12-06T08:10:18.481Z",
"dateReserved": "2023-12-01T10:06:07.237Z",
"dateUpdated": "2024-08-02T08:28:21.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18886
Vulnerability from cvelistv5
Published
2020-06-19 18:43
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows a bypass of restrictions on use of slash commands.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.295Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows a bypass of restrictions on use of slash commands."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T18:43:16",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18886",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows a bypass of restrictions on use of slash commands."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18886",
"datePublished": "2020-06-19T18:43:16",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.295Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20878
Vulnerability from cvelistv5
Published
2020-06-19 16:29
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. Changes, within the application, to e-mail addresses are mishandled.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.540Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. Changes, within the application, to e-mail addresses are mishandled."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T16:29:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20878",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. Changes, within the application, to e-mail addresses are mishandled."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20878",
"datePublished": "2020-06-19T16:29:00",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.540Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18903
Vulnerability from cvelistv5
Published
2020-06-19 18:44
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. CSRF can occur if CORS is enabled.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.304Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. CSRF can occur if CORS is enabled."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T18:44:09",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18903",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. CSRF can occur if CORS is enabled."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18903",
"datePublished": "2020-06-19T18:44:09",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.304Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18871
Vulnerability from cvelistv5
Published
2020-06-19 16:51
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, 4.3.4, and 4.2.2. It allows attackers to cause a denial of service (application crash) via an @ character before a JavaScript field name.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.296Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, 4.3.4, and 4.2.2. It allows attackers to cause a denial of service (application crash) via an @ character before a JavaScript field name."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T16:51:40",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18871",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, 4.3.4, and 4.2.2. It allows attackers to cause a denial of service (application crash) via an @ character before a JavaScript field name."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18871",
"datePublished": "2020-06-19T16:51:40",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.296Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-14460
Vulnerability from cvelistv5
Published
2020-06-19 13:16
Modified
2024-08-04 12:46
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.19.0, 5.18.1, 5.17.3, 5.16.5, and 5.9.8. Creation of a trusted OAuth application does not always require admin privileges, aka MMSA-2020-0001.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:46:34.481Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.19.0, 5.18.1, 5.17.3, 5.16.5, and 5.9.8. Creation of a trusted OAuth application does not always require admin privileges, aka MMSA-2020-0001."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T13:16:12",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-14460",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.19.0, 5.18.1, 5.17.3, 5.16.5, and 5.9.8. Creation of a trusted OAuth application does not always require admin privileges, aka MMSA-2020-0001."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-14460",
"datePublished": "2020-06-19T13:16:12",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-04T12:46:34.481Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-1777
Vulnerability from cvelistv5
Published
2023-03-31 11:35
Modified
2024-12-06 23:05
Severity ?
EPSS score ?
Summary
Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 6.3.0 ≤ 7.7.1 Version: 6.3.0 ≤ 7.1.5 Version: 6.3.0 ≤ 7.8.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:57:25.203Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-1777",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T22:51:57.392822Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T23:05:19.185Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.7.1",
"status": "affected",
"version": "6.3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.1.5",
"status": "affected",
"version": "6.3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.8.0",
"status": "affected",
"version": "6.3.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.1"
},
{
"status": "unaffected",
"version": "7.7.2"
},
{
"status": "unaffected",
"version": "7.1.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Juho Nurminen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eMattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message.\u003c/div\u003e"
}
],
"value": "Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-31T11:35:22.813Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost to version v7.8.0, v7.1.6, v7.7.2, or higher.\u003cbr\u003e"
}
],
"value": "Update Mattermost to version v7.8.0, v7.1.6, v7.7.2, or higher.\n"
}
],
"source": {
"advisory": "MMSA-2023-00141",
"defect": [
"https://mattermost.atlassian.net/browse/MM-50505"
],
"discovery": "INTERNAL"
},
"title": "Information disclosure in linked message previews",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-1777",
"datePublished": "2023-03-31T11:35:22.813Z",
"dateReserved": "2023-03-31T11:34:59.009Z",
"dateUpdated": "2024-12-06T23:05:19.185Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-3613
Vulnerability from cvelistv5
Published
2023-07-17 15:31
Modified
2024-10-21 19:39
Severity ?
EPSS score ?
Summary
Mattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing guest accounts to be added or invited to channels by default.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost Plugins |
Version: 0 ≤ 7.8.5 Version: 0 ≤ 7.10.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:01:56.920Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3613",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T19:38:31.157096Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T19:39:44.854Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Mattermost Plugins",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.10.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.6"
},
{
"status": "unaffected",
"version": "7.10.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Jason Frerich"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing\u0026nbsp;guest accounts to be added or invited to channels by default. \u003c/p\u003e"
}
],
"value": "Mattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing\u00a0guest accounts to be added or invited to channels by default. \n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-17T15:31:23.674Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 7.8.6,\u0026nbsp;7.10.3 or higher. Alternatively, update the WelcomeBot plugin to version 1.3.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 7.8.6,\u00a07.10.3 or higher. Alternatively, update the WelcomeBot plugin to version 1.3.0 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00186",
"defect": [
"https://mattermost.atlassian.net/browse/MM-52564"
],
"discovery": "EXTERNAL"
},
"title": "Guest accounts invited and added to channels by Welcomebot plugin",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-3613",
"datePublished": "2023-07-17T15:31:23.674Z",
"dateReserved": "2023-07-11T08:28:36.132Z",
"dateUpdated": "2024-10-21T19:39:44.854Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-7113
Vulnerability from cvelistv5
Published
2023-12-29 12:46
Modified
2024-08-02 08:50
Severity ?
EPSS score ?
Summary
Mattermost version 8.1.6 and earlier fails to sanitize channel mention data in posts, which allows an attacker to inject markup in the web client.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 8.1.6 Version: 0 ≤ 9.2.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:50:08.283Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.6",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.2.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "8.1.7"
},
{
"status": "unaffected",
"version": "9.2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Juho Nurminen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost version 8.1.6 and earlier fails to sanitize channel mention data in posts, which allows an attacker to inject markup in the web client.\u003c/p\u003e"
}
],
"value": "Mattermost version 8.1.6 and earlier fails to sanitize channel mention data in posts, which allows an attacker to inject markup in the web client.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-29T12:46:13.932Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 8.1.7, 9.2.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 8.1.7, 9.2.0 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00266",
"defect": [
"https://mattermost.atlassian.net/browse/MM-53187"
],
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-7113",
"datePublished": "2023-12-29T12:46:13.932Z",
"dateReserved": "2023-12-26T10:19:31.976Z",
"dateUpdated": "2024-08-02T08:50:08.283Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-48732
Vulnerability from cvelistv5
Published
2024-01-02 09:52
Modified
2024-08-02 21:37
Severity ?
EPSS score ?
Summary
Mattermost fails to scope the WebSocket response around notified users to a each user separately resulting in the WebSocket broadcasting the information about who was notified about a post to everyone else in the channel.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 8.1.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:37:54.700Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.6",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "8.1.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Daniel Espino Garcia"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to scope the WebSocket response around notified users\u0026nbsp;to a each user separately resulting in the\u0026nbsp;WebSocket broadcasting the information about who was notified about a post to everyone else in the channel.\u003c/p\u003e"
}
],
"value": "Mattermost fails to scope the WebSocket response around notified users\u00a0to a each user separately resulting in the\u00a0WebSocket broadcasting the information about who was notified about a post to everyone else in the channel.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-02T09:52:01.147Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 8.1.7, 9.3.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 8.1.7, 9.3.0 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00243",
"defect": [
"https://mattermost.atlassian.net/browse/MM-54237"
],
"discovery": "INTERNAL"
},
"title": "Keywords that trigger mentions are leaked to other users",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-48732",
"datePublished": "2024-01-02T09:52:01.147Z",
"dateReserved": "2023-12-21T08:00:43.425Z",
"dateUpdated": "2024-08-02T21:37:54.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-11071
Vulnerability from cvelistv5
Published
2020-06-19 19:25
Modified
2024-08-06 03:47
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 3.1.0. It allows XSS because the noreferrer and noopener protection mechanisms were not in place.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:47:34.901Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.1.0. It allows XSS because the noreferrer and noopener protection mechanisms were not in place."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T19:25:54",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-11071",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 3.1.0. It allows XSS because the noreferrer and noopener protection mechanisms were not in place."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-11071",
"datePublished": "2020-06-19T19:25:54",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-06T03:47:34.901Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18920
Vulnerability from cvelistv5
Published
2020-06-19 19:20
Modified
2024-08-05 21:45
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 3.6.2. The WebSocket feature does not follow the Same Origin Policy.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:45:24.478Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.6.2. The WebSocket feature does not follow the Same Origin Policy."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T19:20:58",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18920",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 3.6.2. The WebSocket feature does not follow the Same Origin Policy."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18920",
"datePublished": "2020-06-19T19:20:58",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:45:24.478Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-11078
Vulnerability from cvelistv5
Published
2020-06-19 19:28
Modified
2024-08-06 03:47
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 3.0.0. It potentially allows attackers to obtain sensitive information (credential fields within config.json) via the System Console UI.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:47:34.919Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.0.0. It potentially allows attackers to obtain sensitive information (credential fields within config.json) via the System Console UI."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T19:28:22",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-11078",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 3.0.0. It potentially allows attackers to obtain sensitive information (credential fields within config.json) via the System Console UI."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-11078",
"datePublished": "2020-06-19T19:28:22",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-06T03:47:34.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18915
Vulnerability from cvelistv5
Published
2020-06-19 19:16
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. After a restart of a server, an attacker might suddenly gain API Endpoint access.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.314Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. After a restart of a server, an attacker might suddenly gain API Endpoint access."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T19:16:03",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18915",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. After a restart of a server, an attacker might suddenly gain API Endpoint access."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18915",
"datePublished": "2020-06-19T19:16:03",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18874
Vulnerability from cvelistv5
Published
2020-06-19 18:07
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can achieve directory traversal.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.316Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can achieve directory traversal."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T18:07:29",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18874",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can achieve directory traversal."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18874",
"datePublished": "2020-06-19T18:07:29",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.316Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-49809
Vulnerability from cvelistv5
Published
2023-12-12 08:20
Modified
2024-08-02 22:01
Severity ?
EPSS score ?
Summary
Mattermost fails to handle a null request body in the /add endpoint, allowing a simple member to send a request with null request body to that endpoint and make it crash. After a few repetitions, the plugin is disabled.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 8.1.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:01:26.051Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "8.1.6"
},
{
"status": "unaffected",
"version": "9.2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Ben Schumacher"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to handle a null request body in the /add endpoint, allowing a simple member to send a request with null request body to that endpoint and make it crash. After a few repetitions, the plugin is disabled.\u0026nbsp;\u003c/p\u003e"
}
],
"value": "Mattermost fails to handle a null request body in the /add endpoint, allowing a simple member to send a request with null request body to that endpoint and make it crash. After a few repetitions, the plugin is disabled.\u00a0\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-12T08:20:08.321Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e8.1.6,\u0026nbsp;\u003c/span\u003e9.2.0 or higher\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 8.1.6,\u00a09.2.0 or higher\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00227",
"defect": [
"https://mattermost.atlassian.net/browse/MM-53424"
],
"discovery": "EXTERNAL"
},
"title": "Todo plugin gets crashed and disabled by member",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-49809",
"datePublished": "2023-12-12T08:20:08.321Z",
"dateReserved": "2023-12-05T08:04:35.026Z",
"dateUpdated": "2024-08-02T22:01:26.051Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-11067
Vulnerability from cvelistv5
Published
2020-06-19 19:24
Modified
2024-08-06 03:47
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 3.2.0. It allowed crafted posts that could cause a web browser to hang.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:47:34.722Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.2.0. It allowed crafted posts that could cause a web browser to hang."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T19:24:31",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-11067",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 3.2.0. It allowed crafted posts that could cause a web browser to hang."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-11067",
"datePublished": "2020-06-19T19:24:31",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-06T03:47:34.722Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-1942
Vulnerability from cvelistv5
Published
2024-02-29 10:41
Modified
2024-08-12 13:16
Severity ?
EPSS score ?
Summary
Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, and 9.3.0 fail to sanitize the metadata on posts containing permalinks under specific conditions, which allows an authenticated attacker to access the contents of individual posts in channels they are not a member of.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 9.2.0 ≤ 9.2.4 Version: 8.1.0 ≤ 8.1.8 Version: 9.3.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:56:22.628Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1942",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-12T13:16:00.855584Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T13:16:32.143Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.2.4",
"status": "affected",
"version": "9.2.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.8",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "9.3.0"
},
{
"status": "unaffected",
"version": "9.4"
},
{
"status": "unaffected",
"version": "9.3.1"
},
{
"status": "unaffected",
"version": "9.2.5"
},
{
"status": "unaffected",
"version": "8.1.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Juho Nurminen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, and 9.3.0 fail to sanitize the metadata on posts containing permalinks under specific conditions, which allows an authenticated attacker to access the contents of individual posts in channels they are not a member of.\u003c/p\u003e"
}
],
"value": "Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, and 9.3.0 fail to sanitize the metadata on posts containing permalinks under specific conditions, which allows an authenticated attacker to access the contents of individual posts in channels they are not a member of.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-29T10:41:38.292Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.4, 9.3.1, 9.2.5, 8.1.9 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.4, 9.3.1, 9.2.5, 8.1.9 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00283",
"defect": [
"https://mattermost.atlassian.net/browse/MM-55495"
],
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-1942",
"datePublished": "2024-02-29T10:41:38.292Z",
"dateReserved": "2024-02-27T18:10:31.220Z",
"dateUpdated": "2024-08-12T13:16:32.143Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-5330
Vulnerability from cvelistv5
Published
2023-10-09 10:38
Modified
2024-09-05 19:47
Severity ?
EPSS score ?
Summary
Mattermost fails to enforce a limit for the size of the cache entry for OpenGraph data allowing an attacker to send a specially crafted request to the /api/v4/opengraph filling the cache and turning the server unavailable.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 7.8.10 Version: 0 ≤ 8.0.2 Version: 0 ≤ 8.1.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:52:08.656Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5330",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T19:47:44.126838Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T19:47:56.144Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.0.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.11"
},
{
"status": "unaffected",
"version": "8.0.3"
},
{
"status": "unaffected",
"version": "8.1.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "vultza (vultza)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to\u0026nbsp;enforce a limit for the size of the cache entry for OpenGraph data allowing an attacker to send a specially crafted request to the /api/v4/opengraph filling the cache and turning the server unavailable.\u003c/p\u003e"
}
],
"value": "Mattermost fails to\u00a0enforce a limit for the size of the cache entry for OpenGraph data allowing an attacker to send a specially crafted request to the /api/v4/opengraph filling the cache and turning the server unavailable.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-09T10:38:39.415Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e7.8.11, \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e8.0.3,\u0026nbsp;\u003c/span\u003e8.1.2\u0026nbsp;or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions\u00a07.8.11, 8.0.3,\u00a08.1.2\u00a0or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00232",
"defect": [
"https://mattermost.atlassian.net/browse/MM-53763"
],
"discovery": "EXTERNAL"
},
"title": " Denial of Service via Opengraph Data Cache",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-5330",
"datePublished": "2023-10-09T10:38:39.415Z",
"dateReserved": "2023-10-02T10:48:43.542Z",
"dateUpdated": "2024-09-05T19:47:56.144Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-6547
Vulnerability from cvelistv5
Published
2023-12-12 08:22
Modified
2024-08-02 08:35
Severity ?
EPSS score ?
Summary
Mattermost fails to validate team membership when a user attempts to access a playbook, allowing a user with permissions to a playbook but no permissions to the team the playbook is on to access and modify the playbook. This can happen if the user was once a member of the team, got permissions to the playbook and was then removed from the team.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 8.1.5 Version: 0 ≤ 9.2.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:35:14.519Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "8.1.6"
},
{
"status": "unaffected",
"version": "9.2.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Leandro Chaves (brdoors3)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to validate team membership when a user attempts to access a playbook, allowing a user with permissions to a playbook but no permissions to the team the playbook is on to access and modify the playbook. This can happen if the user was once a member of the team, got permissions to the playbook and was then removed from the team.\u0026nbsp;\u003c/p\u003e"
}
],
"value": "Mattermost fails to validate team membership when a user attempts to access a playbook, allowing a user with permissions to a playbook but no permissions to the team the playbook is on to access and modify the playbook. This can happen if the user was once a member of the team, got permissions to the playbook and was then removed from the team.\u00a0\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-12T08:22:41.419Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 8.1.6, 9.2.2 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 8.1.6, 9.2.2 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00271",
"defect": [
"https://mattermost.atlassian.net/browse/MM-54988"
],
"discovery": "EXTERNAL"
},
"title": "Playbooks access/modification by removed team member",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-6547",
"datePublished": "2023-12-12T08:22:41.419Z",
"dateReserved": "2023-12-06T08:47:19.482Z",
"dateUpdated": "2024-08-02T08:35:14.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18908
Vulnerability from cvelistv5
Published
2020-06-19 19:16
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. A password-reset request was sometime sent to an attacker-provided e-mail address.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.432Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. A password-reset request was sometime sent to an attacker-provided e-mail address."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T19:16:08",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18908",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. A password-reset request was sometime sent to an attacker-provided e-mail address."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18908",
"datePublished": "2020-06-19T19:16:08",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.432Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-4478
Vulnerability from cvelistv5
Published
2023-08-25 09:06
Modified
2024-09-30 18:17
Severity ?
EPSS score ?
Summary
Mattermost fails to restrict which parameters' values it takes from the request during signup allowing an attacker to register users as inactive, thus blocking them from later accessing Mattermost without the system admin activating their accounts.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 7.8.8 Version: 0 ≤ 7.10.4 Version: 8.0.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:31:05.857Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4478",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-30T18:17:18.324617Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T18:17:59.871Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.8",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.10.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.9"
},
{
"status": "unaffected",
"version": "7.10.5"
},
{
"status": "unaffected",
"version": "8.0.1 "
},
{
"status": "affected",
"version": "8.0.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "0AQD (0aqd)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to restrict which parameters\u0027 values it takes from the request during signup allowing an attacker to register users as inactive, thus blocking them from later accessing Mattermost without the system admin activating their accounts.\u003c/p\u003e"
}
],
"value": "Mattermost fails to restrict which parameters\u0027 values it takes from the request during signup allowing an attacker to register users as inactive, thus blocking them from later accessing Mattermost without the system admin activating their accounts.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-25T09:06:06.310Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 7.8.9, 7.10.5, 8.0.1 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 7.8.9, 7.10.5, 8.0.1 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00225",
"defect": [
"https://mattermost.atlassian.net/browse/MM-53426"
],
"discovery": "EXTERNAL"
},
"title": "Parameter tampering in the registration resulting in blocked accounts to be created",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-4478",
"datePublished": "2023-08-25T09:06:06.310Z",
"dateReserved": "2023-08-22T11:45:27.863Z",
"dateUpdated": "2024-09-30T18:17:59.871Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18907
Vulnerability from cvelistv5
Published
2020-06-19 19:19
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. XSS could occur via a channel header.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.314Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. XSS could occur via a channel header."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T19:19:38",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18907",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. XSS could occur via a channel header."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18907",
"datePublished": "2020-06-19T19:19:38",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18894
Vulnerability from cvelistv5
Published
2020-06-19 18:10
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. Sometimes. resource-owner authorization is bypassed, allowing account takeover.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.290Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. Sometimes. resource-owner authorization is bypassed, allowing account takeover."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T18:10:56",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18894",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. Sometimes. resource-owner authorization is bypassed, allowing account takeover."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18894",
"datePublished": "2020-06-19T18:10:56",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.290Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18890
Vulnerability from cvelistv5
Published
2020-06-19 18:08
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows an attacker to create a button that, when pressed by a user, launches an API request.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.382Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows an attacker to create a button that, when pressed by a user, launches an API request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T18:08:53",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18890",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows an attacker to create a button that, when pressed by a user, launches an API request."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18890",
"datePublished": "2020-06-19T18:08:53",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.382Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18895
Vulnerability from cvelistv5
Published
2020-06-19 18:43
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to obtain sensitive information (user statuses) via a REST API version 4 endpoint.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.297Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to obtain sensitive information (user statuses) via a REST API version 4 endpoint."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T18:43:14",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18895",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to obtain sensitive information (user statuses) via a REST API version 4 endpoint."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18895",
"datePublished": "2020-06-19T18:43:14",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-0904
Vulnerability from cvelistv5
Published
2022-03-09 15:21
Modified
2024-12-06 23:10
Severity ?
EPSS score ?
Summary
A stack overflow bug in the document extractor in Mattermost Server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted Apple Pages document.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 6.3 < 6.3.3 Version: 6.2 < 6.2.3 Version: 6.1 < 6.1.3 Version: 5.37 < 5.37.8 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:47:42.621Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-0904",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T22:53:18.474566Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T23:10:39.908Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThan": "6.3.3",
"status": "affected",
"version": "6.3",
"versionType": "custom"
},
{
"lessThan": "6.2.3",
"status": "affected",
"version": "6.2",
"versionType": "custom"
},
{
"lessThan": "6.1.3",
"status": "affected",
"version": "6.1",
"versionType": "custom"
},
{
"lessThan": "5.37.8",
"status": "affected",
"version": "5.37",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"descriptions": [
{
"lang": "en",
"value": "A stack overflow bug in the document extractor in Mattermost Server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted Apple Pages document."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Call stack overflow / goroutine stack overflow",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-09T15:21:17",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"value": "Update the Mattermost version to v6.3.3, 6.2.3, 6.1.3, or 5.37.8, depending on the minor version being run\n"
}
],
"source": {
"advisory": "MMSA-2022-0086",
"defect": [
"https://mattermost.atlassian.net/browse/MM-41334"
],
"discovery": "INTERNAL"
},
"title": "Stack overflow in document extractor in Mattermost",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsibledisclosure@mattermost.com",
"ID": "CVE-2022-0904",
"STATE": "PUBLIC",
"TITLE": "Stack overflow in document extractor in Mattermost"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mattermost",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "6.3",
"version_value": "6.3.3"
},
{
"version_affected": "\u003c",
"version_name": "6.2",
"version_value": "6.2.3"
},
{
"version_affected": "\u003c",
"version_name": "6.1",
"version_value": "6.1.3"
},
{
"version_affected": "\u003c",
"version_name": "5.37",
"version_value": "5.37.8"
}
]
}
}
]
},
"vendor_name": "Mattermost"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stack overflow bug in the document extractor in Mattermost Server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted Apple Pages document."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Call stack overflow / goroutine stack overflow"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "MISC",
"url": "https://mattermost.com/security-updates/"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update the Mattermost version to v6.3.3, 6.2.3, 6.1.3, or 5.37.8, depending on the minor version being run\n"
}
],
"source": {
"advisory": "MMSA-2022-0086",
"defect": [
"https://mattermost.atlassian.net/browse/MM-41334"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2022-0904",
"datePublished": "2022-03-09T15:21:17",
"dateReserved": "2022-03-09T00:00:00",
"dateUpdated": "2024-12-06T23:10:39.908Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18911
Vulnerability from cvelistv5
Published
2020-06-19 18:45
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. The X.509 certificate validation can be skipped for a TLS-based e-mail server.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.346Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. The X.509 certificate validation can be skipped for a TLS-based e-mail server."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T18:45:55",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18911",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. The X.509 certificate validation can be skipped for a TLS-based e-mail server."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18911",
"datePublished": "2020-06-19T18:45:55",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.346Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-1384
Vulnerability from cvelistv5
Published
2022-04-19 20:26
Modified
2024-12-06 23:09
Severity ?
EPSS score ?
Summary
Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which allows an authenticated and an authorized user to install and exploit an old plugin version from the Marketplace which might have known vulnerabilities.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:03:06.265Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-1384",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T22:52:58.546800Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T23:09:22.478Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "6.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which allows an authenticated and an authorized user to install and exploit an old plugin version from the Marketplace which might have known vulnerabilities."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-477",
"description": "CWE-477 Use of Obsolete Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-19T20:26:28",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to version v6.5 or higher"
}
],
"source": {
"advisory": "MMSA-2022-0095",
"defect": [
"https://mattermost.atlassian.net/browse/MM-41885"
],
"discovery": "INTERNAL"
},
"title": "Authorized users are allowed to install old plugin versions from the Marketplace",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsibledisclosure@mattermost.com",
"ID": "CVE-2022-1384",
"STATE": "PUBLIC",
"TITLE": "Authorized users are allowed to install old plugin versions from the Marketplace"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mattermost",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "6.4"
}
]
}
}
]
},
"vendor_name": "Mattermost"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which allows an authenticated and an authorized user to install and exploit an old plugin version from the Marketplace which might have known vulnerabilities."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-477 Use of Obsolete Function"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "MISC",
"url": "https://mattermost.com/security-updates/"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update Mattermost to version v6.5 or higher"
}
],
"source": {
"advisory": "MMSA-2022-0095",
"defect": [
"https://mattermost.atlassian.net/browse/MM-41885"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2022-1384",
"datePublished": "2022-04-19T20:26:28",
"dateReserved": "2022-04-18T00:00:00",
"dateUpdated": "2024-12-06T23:09:22.478Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-21258
Vulnerability from cvelistv5
Published
2020-06-19 16:45
Modified
2024-08-05 12:26
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.1. It allows attackers to cause a denial of service via the invite_people slash command.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:26:39.589Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.1. It allows attackers to cause a denial of service via the invite_people slash command."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T16:45:05",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-21258",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.1. It allows attackers to cause a denial of service via the invite_people slash command."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-21258",
"datePublished": "2020-06-19T16:45:05",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T12:26:39.589Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-2446
Vulnerability from cvelistv5
Published
2024-03-15 09:11
Modified
2024-08-01 19:11
Severity ?
EPSS score ?
Summary
Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to limit the number of @-mentions processed per message, allowing an authenticated attacker to crash the client applications of other users via large, crafted messages.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 9.4.0 ≤ 9.4.2 Version: 9.3.0 ≤ 9.3.1 Version: 9.2.0 ≤ 9.2.5 Version: 8.1.0 ≤ 8.1.9 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2446",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-15T17:53:09.280852Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:29:50.343Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:11:53.477Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.4.2",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.3.1",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.2.5",
"status": "affected",
"version": "9.2.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.9",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.5.0"
},
{
"status": "unaffected",
"version": "9.4.3"
},
{
"status": "unaffected",
"version": "9.3.2"
},
{
"status": "unaffected",
"version": "9.2.6"
},
{
"status": "unaffected",
"version": "8.1.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "vultza (vultza)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to limit the number of @-mentions processed per message, allowing an authenticated attacker to crash the client applications of other users via large, crafted messages.\u003c/p\u003e"
}
],
"value": "Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to limit the number of @-mentions processed per message, allowing an authenticated attacker to crash the client applications of other users via large, crafted messages.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-15T09:11:21.446Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.5, 9.4.3, 9.3.2, 9.2.6, 8.1.10 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.5, 9.4.3, 9.3.2, 9.2.6, 8.1.10 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2024-00296",
"defect": [
"https://mattermost.atlassian.net/browse/MM-56372"
],
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-2446",
"datePublished": "2024-03-15T09:11:21.446Z",
"dateReserved": "2024-03-14T12:09:07.848Z",
"dateUpdated": "2024-08-01T19:11:53.477Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-24988
Vulnerability from cvelistv5
Published
2024-02-29 08:06
Modified
2024-08-01 23:36
Severity ?
EPSS score ?
Summary
Mattermost fails to properly validate the length of the emoji value in the custom user status, allowing an attacker to send multiple times a very long string as an emoji value causing high resource consumption and possibly crashing the server.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 9.2.4 Version: 0 ≤ 8.1.8 Version: 0 ≤ 9.3.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-24988",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-01T18:32:28.384741Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:43:03.157Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:36:21.288Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.2.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.8",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.3.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.4.0"
},
{
"status": "unaffected",
"version": "9.3.1"
},
{
"status": "unaffected",
"version": "9.2.5"
},
{
"status": "unaffected",
"version": "8.1.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Gian Klug (coderion)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to properly validate the length of the emoji value in the custom user status, allowing an attacker to send\u0026nbsp;multiple times a very long string as an emoji value causing high resource consumption and possibly crashing the server.\u003c/p\u003e"
}
],
"value": "Mattermost fails to properly validate the length of the emoji value in the custom user status, allowing an attacker to send\u00a0multiple times a very long string as an emoji value causing high resource consumption and possibly crashing the server.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-29T08:06:28.334Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.4.0, 9.3.1, 9.2.5, 8.1.9 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.4.0, 9.3.1, 9.2.5, 8.1.9 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00281",
"defect": [
"https://mattermost.atlassian.net/browse/MM-55467"
],
"discovery": "EXTERNAL"
},
"title": "Excessive resource consumption when sending long emoji names in user custom status",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-24988",
"datePublished": "2024-02-29T08:06:28.334Z",
"dateReserved": "2024-02-26T08:14:42.970Z",
"dateUpdated": "2024-08-01T23:36:21.288Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-14457
Vulnerability from cvelistv5
Published
2020-06-19 13:13
Modified
2024-08-04 12:46
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.20.0. Non-members can receive broadcasted team details via the update_team WebSocket event, aka MMSA-2020-0012.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:46:34.484Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.20.0. Non-members can receive broadcasted team details via the update_team WebSocket event, aka MMSA-2020-0012."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T13:13:32",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-14457",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.20.0. Non-members can receive broadcasted team details via the update_team WebSocket event, aka MMSA-2020-0012."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-14457",
"datePublished": "2020-06-19T13:13:32",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-04T12:46:34.484Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-11084
Vulnerability from cvelistv5
Published
2020-06-19 19:30
Modified
2024-08-06 03:47
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 2.1.0. It allows XSS via CSRF.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:47:34.848Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 2.1.0. It allows XSS via CSRF."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T19:30:10",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-11084",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 2.1.0. It allows XSS via CSRF."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-11084",
"datePublished": "2020-06-19T19:30:10",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-06T03:47:34.848Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-37863
Vulnerability from cvelistv5
Published
2021-12-17 16:10
Modified
2024-08-04 01:30
Severity ?
EPSS score ?
Summary
Mattermost 6.0 and earlier fails to sufficiently validate parameters during post creation, which allows authenticated attackers to cause a client-side crash of the web application via a maliciously crafted post.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_MISC | |
| https://hackerone.com/reports/1253732 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:30:08.631Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/1253732"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mattermost ",
"vendor": "Mattermost ",
"versions": [
{
"lessThanOrEqual": "6.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost 6.0 and earlier fails to sufficiently validate parameters during post creation, which allows authenticated attackers to cause a client-side crash of the web application via a maliciously crafted post."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-17T16:10:30",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mattermost.com/security-updates/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/1253732"
}
],
"source": {
"advisory": "MMSA-2021-0075",
"defect": [
"https://mattermost.atlassian.net/browse/MM-36892"
],
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsibledisclosure@mattermost.com",
"ID": "CVE-2021-37863",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mattermost ",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "6.0"
}
]
}
}
]
},
"vendor_name": "Mattermost "
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Mattermost 6.0 and earlier fails to sufficiently validate parameters during post creation, which allows authenticated attackers to cause a client-side crash of the web application via a maliciously crafted post."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "MISC",
"url": "https://mattermost.com/security-updates/"
},
{
"name": "https://hackerone.com/reports/1253732",
"refsource": "MISC",
"url": "https://hackerone.com/reports/1253732"
}
]
},
"source": {
"advisory": "MMSA-2021-0075",
"defect": [
"https://mattermost.atlassian.net/browse/MM-36892"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2021-37863",
"datePublished": "2021-12-17T16:10:30",
"dateReserved": "2021-08-02T00:00:00",
"dateUpdated": "2024-08-04T01:30:08.631Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18900
Vulnerability from cvelistv5
Published
2020-06-19 18:43
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows CSV injection via a compliance report.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.301Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows CSV injection via a compliance report."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T18:43:18",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18900",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows CSV injection via a compliance report."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18900",
"datePublished": "2020-06-19T18:43:18",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.301Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18918
Vulnerability from cvelistv5
Published
2020-06-19 19:19
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 3.7.3 and 3.6.5. A System Administrator can place a SAML certificate at an arbitrary pathname.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.309Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.7.3 and 3.6.5. A System Administrator can place a SAML certificate at an arbitrary pathname."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T19:19:57",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18918",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 3.7.3 and 3.6.5. A System Administrator can place a SAML certificate at an arbitrary pathname."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18918",
"datePublished": "2020-06-19T19:19:57",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.309Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-5333
Vulnerability from cvelistv5
Published
2023-10-09 10:41
Modified
2024-09-05 19:46
Severity ?
EPSS score ?
Summary
Mattermost fails to deduplicate input IDs allowing a simple user to cause the application to consume excessive resources and possibly crash by sending a specially crafted request to /api/v4/users/ids with multiple identical IDs.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 7.8.10 Version: 0 ≤ 8.0.2 Version: 0 ≤ 8.1.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:52:08.633Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5333",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T19:46:22.607275Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T19:46:32.169Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.0.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.11"
},
{
"status": "unaffected",
"version": "8.0.3"
},
{
"status": "unaffected",
"version": "8.1.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "vultza (vultza)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to deduplicate input IDs allowing a\u0026nbsp;simple user to cause the application to consume excessive resources and possibly crash by sending a specially crafted request to /api/v4/users/ids with multiple identical IDs. \u003c/p\u003e"
}
],
"value": "Mattermost fails to deduplicate input IDs allowing a\u00a0simple user to cause the application to consume excessive resources and possibly crash by sending a specially crafted request to /api/v4/users/ids with multiple identical IDs. \n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-09T10:41:36.597Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 7.8.11, 8.0.3, 8.1.2 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 7.8.11, 8.0.3, 8.1.2 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00239",
"defect": [
"https://mattermost.atlassian.net/browse/MM-54127"
],
"discovery": "EXTERNAL"
},
"title": " Denial of Service via multiple identical User IDs in /api/v4/users/ids",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-5333",
"datePublished": "2023-10-09T10:41:36.597Z",
"dateReserved": "2023-10-02T12:25:25.552Z",
"dateUpdated": "2024-09-05T19:46:32.169Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-3591
Vulnerability from cvelistv5
Published
2023-07-17 15:30
Modified
2024-10-21 19:39
Severity ?
EPSS score ?
Summary
Mattermost fails to invalidate previously generated password reset tokens when a new reset token was created.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 7.8.6 Version: 0 ≤ 7.9.4 Version: 0 ≤ 7.10.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:01:56.858Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3591",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T19:38:35.067985Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T19:39:25.304Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.6",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.9.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.10.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.7"
},
{
"status": "unaffected",
"version": "7.9.5"
},
{
"status": "unaffected",
"version": "7.10.3 "
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "SUBHASIS DATTA (claverrat)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to invalidate previously generated password reset tokens when a new reset token was created.\u003c/p\u003e"
}
],
"value": "Mattermost fails to invalidate previously generated password reset tokens when a new reset token was created.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-17T15:30:05.295Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions\u0026nbsp;v7.8.7,\u0026nbsp;v7.9.5,\u0026nbsp;v7.10.3 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions\u00a0v7.8.7,\u00a0v7.9.5,\u00a0v7.10.3 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00178",
"defect": [
"https://mattermost.atlassian.net/browse/MM-52140"
],
"discovery": "EXTERNAL"
},
"title": "Lack of previous password reset tokens on new token creation",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-3591",
"datePublished": "2023-07-17T15:30:05.295Z",
"dateReserved": "2023-07-10T15:08:38.159Z",
"dateUpdated": "2024-10-21T19:39:25.304Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18901
Vulnerability from cvelistv5
Published
2020-06-19 18:09
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover a team invite ID by requesting a JSON document.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.316Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover a team invite ID by requesting a JSON document."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T18:09:26",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18901",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover a team invite ID by requesting a JSON document."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18901",
"datePublished": "2020-06-19T18:09:26",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.316Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-9548
Vulnerability from cvelistv5
Published
2020-06-19 19:30
Modified
2024-08-06 08:51
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 1.2.0. It allows attackers to cause a denial of service (memory consumption) via a small compressed file that has a large size when uncompressed.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:51:05.305Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 1.2.0. It allows attackers to cause a denial of service (memory consumption) via a small compressed file that has a large size when uncompressed."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T19:30:35",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-9548",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 1.2.0. It allows attackers to cause a denial of service (memory consumption) via a small compressed file that has a large size when uncompressed."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-9548",
"datePublished": "2020-06-19T19:30:35",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-06T08:51:05.305Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-11074
Vulnerability from cvelistv5
Published
2020-06-19 19:26
Modified
2024-08-06 03:47
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 3.0.0. A password-reset link could be reused.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:47:34.622Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.0.0. A password-reset link could be reused."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T19:26:52",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-11074",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 3.0.0. A password-reset link could be reused."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-11074",
"datePublished": "2020-06-19T19:26:52",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-06T03:47:34.622Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20862
Vulnerability from cvelistv5
Published
2020-06-19 14:17
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.13.0. Non-members may fetch a team's slash commands.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.407Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.13.0. Non-members may fetch a team\u0027s slash commands."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T14:17:46",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20862",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.13.0. Non-members may fetch a team\u0027s slash commands."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20862",
"datePublished": "2020-06-19T14:17:46",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.407Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-39837
Vulnerability from cvelistv5
Published
2024-08-01 14:05
Modified
2024-08-01 20:47
Severity ?
EPSS score ?
Summary
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly restrict channel creation which allows a malicious remote to create arbitrary channels, when shared channels were enabled.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 9.9.0 Version: 9.5.0 ≤ 9.5.6 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39837",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-01T20:47:43.584199Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T20:47:51.530Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "9.9.0"
},
{
"lessThanOrEqual": "9.5.6",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.10.0"
},
{
"status": "unaffected",
"version": "9.9.1"
},
{
"status": "unaffected",
"version": "9.5.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Fors\u00e9n"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.9.x \u0026lt;= 9.9.0, 9.5.x \u0026lt;= 9.5.6 fail to properly restrict channel creation\u0026nbsp;which allows\u0026nbsp;a malicious remote to create arbitrary channels,\u0026nbsp;when shared channels were enabled.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.9.x \u003c= 9.9.0, 9.5.x \u003c= 9.5.6 fail to properly restrict channel creation\u00a0which allows\u00a0a malicious remote to create arbitrary channels,\u00a0when shared channels were enabled."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T14:05:06.182Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.10.0, 9.9.1, 9.5.7 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.10.0, 9.9.1, 9.5.7 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00332",
"defect": [
"https://mattermost.atlassian.net/browse/MM-57872"
],
"discovery": "INTERNAL"
},
"title": "Malicious remote can create arbitrary channels",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-39837",
"datePublished": "2024-08-01T14:05:06.182Z",
"dateReserved": "2024-07-23T17:55:45.342Z",
"dateUpdated": "2024-08-01T20:47:51.530Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20883
Vulnerability from cvelistv5
Published
2020-06-19 16:39
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.8.0, when Town Square is set to Read-Only. Users can pin or unpin a post.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.428Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.8.0, when Town Square is set to Read-Only. Users can pin or unpin a post."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T16:39:30",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20883",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.8.0, when Town Square is set to Read-Only. Users can pin or unpin a post."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20883",
"datePublished": "2020-06-19T16:39:30",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-47145
Vulnerability from cvelistv5
Published
2024-09-26 08:01
Modified
2024-09-26 13:12
Severity ?
EPSS score ?
Summary
Mattermost versions 9.5.x <= 9.5.8 fail to properly authorize access to archived channels when viewing archived channels is disabled, which allows an attacker to view posts and files of archived channels via file links.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 9.5.0 ≤ 9.5.8 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47145",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T13:12:44.134084Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T13:12:52.240Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.5.8",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.11.0"
},
{
"status": "unaffected",
"version": "9.5.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "BhaRat (hackit_bharat)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.5.x \u0026lt;= 9.5.8 fail to properly authorize access to archived channels when viewing archived channels is disabled, which allows\u0026nbsp;an attacker to view posts and files of archived channels via file links.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.5.x \u003c= 9.5.8 fail to properly authorize access to archived channels when viewing archived channels is disabled, which allows\u00a0an attacker to view posts and files of archived channels via file links."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T08:01:48.199Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.11.0, 9.5.9 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.11.0, 9.5.9 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00358",
"defect": [
"https://mattermost.atlassian.net/browse/MM-58522"
],
"discovery": "EXTERNAL"
},
"title": "Unauthorized access on archived channels via file links",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-47145",
"datePublished": "2024-09-26T08:01:48.199Z",
"dateReserved": "2024-09-23T07:55:36.353Z",
"dateUpdated": "2024-09-26T13:12:52.240Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20875
Vulnerability from cvelistv5
Published
2020-06-19 16:22
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows a password reset to proceed while an e-mail address is being changed.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.539Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows a password reset to proceed while an e-mail address is being changed."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T16:22:05",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20875",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows a password reset to proceed while an e-mail address is being changed."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20875",
"datePublished": "2020-06-19T16:22:05",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.539Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20843
Vulnerability from cvelistv5
Published
2020-06-19 13:25
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. There are weak permissions for configuration files.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.267Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. There are weak permissions for configuration files."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T13:25:29",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20843",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. There are weak permissions for configuration files."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20843",
"datePublished": "2020-06-19T13:25:29",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.267Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-11063
Vulnerability from cvelistv5
Published
2020-06-19 19:22
Modified
2024-08-06 03:47
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 3.5.1. XSS can occur via file preview.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:47:34.760Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.5.1. XSS can occur via file preview."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T19:22:15",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-11063",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 3.5.1. XSS can occur via file preview."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-11063",
"datePublished": "2020-06-19T19:22:15",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-06T03:47:34.760Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20890
Vulnerability from cvelistv5
Published
2020-06-19 16:44
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.7. It allows a bypass of e-mail address discovery restrictions.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.474Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.7. It allows a bypass of e-mail address discovery restrictions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T16:44:59",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20890",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.7. It allows a bypass of e-mail address discovery restrictions."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20890",
"datePublished": "2020-06-19T16:44:59",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.474Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-47003
Vulnerability from cvelistv5
Published
2024-09-26 08:05
Modified
2024-09-26 13:11
Severity ?
EPSS score ?
Summary
Mattermost versions 9.11.x <= 9.11.0 and 9.5.x <= 9.5.8 fail to validate that the message of the permalink post is a string, which allows an attacker to send a non-string value as the message of a permalink post and crash the frontend.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 9.11.0 Version: 9.5.0 ≤ 9.5.8 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47003",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T13:10:27.555291Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T13:11:00.827Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "9.11.0"
},
{
"lessThanOrEqual": "9.5.8",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "10.0.0"
},
{
"status": "unaffected",
"version": "9.11.1"
},
{
"status": "unaffected",
"version": "9.5.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "c0rydoras (c0rydoras)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.11.x \u0026lt;= 9.11.0 and 9.5.x \u0026lt;= 9.5.8 fail to validate that the message of the permalink post is a string,\u0026nbsp;which allows an attacker to send a non-string value as the message of a permalink post and crash the frontend.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.11.x \u003c= 9.11.0 and 9.5.x \u003c= 9.5.8 fail to validate that the message of the permalink post is a string,\u00a0which allows an attacker to send a non-string value as the message of a permalink post and crash the frontend."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T08:05:16.392Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 10.0.0, 9.11.1, 9.5.9 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 10.0.0, 9.11.1, 9.5.9 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00373",
"defect": [
"https://mattermost.atlassian.net/browse/MM-59077"
],
"discovery": "EXTERNAL"
},
"title": "DoS via non-string message using permalink embed",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-47003",
"datePublished": "2024-09-26T08:05:16.392Z",
"dateReserved": "2024-09-23T07:55:36.376Z",
"dateUpdated": "2024-09-26T13:11:00.827Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-1982
Vulnerability from cvelistv5
Published
2022-06-02 17:03
Modified
2024-12-06 23:08
Severity ?
EPSS score ?
Summary
Uncontrolled resource consumption in Mattermost version 6.6.0 and earlier allows an authenticated attacker to crash the server via a crafted SVG attachment on a post.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 6.5.x 6.5.0 Version: 6.6.x 6.6.0 Version: 5.x < Version: 6.x < Version: 6.4.x < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:24:44.087Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-1982",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T22:52:53.154050Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T23:08:59.559Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "6.5.x 6.5.0"
},
{
"status": "affected",
"version": "6.6.x 6.6.0"
},
{
"lessThanOrEqual": "5.39",
"status": "affected",
"version": "5.x",
"versionType": "custom"
},
{
"lessThanOrEqual": "6.3.7",
"status": "affected",
"version": "6.x",
"versionType": "custom"
},
{
"lessThanOrEqual": "6.4.2",
"status": "affected",
"version": "6.4.x",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Uncontrolled resource consumption in Mattermost version 6.6.0 and earlier allows an authenticated attacker to crash the server via a crafted SVG attachment on a post."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-02T17:03:07",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mattermost.com/security-updates/"
}
],
"source": {
"advisory": "MMSA-2022-00104",
"defect": [
"https://mattermost.atlassian.net/browse/MM-43392"
],
"discovery": "INTERNAL"
},
"title": "A crafted SVG attachment can crash a Mattermost server",
"workarounds": [
{
"lang": "en",
"value": "Configure the maximum file size for message attachments to 20 megabytes or less: https://docs.mattermost.com/configure/configuration-settings.html#maximum-file-size"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsibledisclosure@mattermost.com",
"ID": "CVE-2022-1982",
"STATE": "PUBLIC",
"TITLE": "A crafted SVG attachment can crash a Mattermost server"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mattermost",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "5.x",
"version_value": "5.39"
},
{
"version_affected": "\u003c=",
"version_name": "6.x",
"version_value": "6.3.7"
},
{
"version_affected": "\u003c=",
"version_name": "6.4.x",
"version_value": "6.4.2"
},
{
"version_affected": "=",
"version_name": "6.5.x",
"version_value": "6.5.0"
},
{
"version_affected": "=",
"version_name": "6.6.x",
"version_value": "6.6.0"
}
]
}
}
]
},
"vendor_name": "Mattermost"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Uncontrolled resource consumption in Mattermost version 6.6.0 and earlier allows an authenticated attacker to crash the server via a crafted SVG attachment on a post."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "MISC",
"url": "https://mattermost.com/security-updates/"
}
]
},
"source": {
"advisory": "MMSA-2022-00104",
"defect": [
"https://mattermost.atlassian.net/browse/MM-43392"
],
"discovery": "INTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "Configure the maximum file size for message attachments to 20 megabytes or less: https://docs.mattermost.com/configure/configuration-settings.html#maximum-file-size"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2022-1982",
"datePublished": "2022-06-02T17:03:07",
"dateReserved": "2022-06-02T00:00:00",
"dateUpdated": "2024-12-06T23:08:59.559Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-1949
Vulnerability from cvelistv5
Published
2024-02-29 10:41
Modified
2024-08-01 18:56
Severity ?
EPSS score ?
Summary
A race condition in Mattermost versions 8.1.x before 8.1.9, and 9.4.x before 9.4.2 allows an authenticated attacker to gain unauthorized access to individual posts' contents via carefully timed post creation while another user deletes posts.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 8.1.0 ≤ 8.1.8 Version: 9.4.0 ≤ 9.4.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1949",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-29T13:47:08.940395Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:05.263Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:56:22.631Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.8",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.4.1",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.5"
},
{
"status": "unaffected",
"version": "9.4.2"
},
{
"status": "unaffected",
"version": "8.1.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Agniva De Sarker"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA race condition in Mattermost versions 8.1.x before 8.1.9, and 9.4.x before 9.4.2 allows an authenticated attacker to gain unauthorized access to individual posts\u0027 contents via carefully timed post creation while another user deletes posts.\u003c/p\u003e"
}
],
"value": "A race condition in Mattermost versions 8.1.x before 8.1.9, and 9.4.x before 9.4.2 allows an authenticated attacker to gain unauthorized access to individual posts\u0027 contents via carefully timed post creation while another user deletes posts.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-29T10:41:54.916Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.5 ( 2024), 9.4.2, 8.1.9 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.5 ( 2024), 9.4.2, 8.1.9 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00267",
"defect": [
"https://mattermost.atlassian.net/browse/MM-53642"
],
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-1949",
"datePublished": "2024-02-29T10:41:54.916Z",
"dateReserved": "2024-02-27T19:08:16.634Z",
"dateUpdated": "2024-08-01T18:56:22.631Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18884
Vulnerability from cvelistv5
Published
2020-06-19 18:08
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by using a registered OAuth application with personal access tokens.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.307Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by using a registered OAuth application with personal access tokens."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T18:08:48",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18884",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by using a registered OAuth application with personal access tokens."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18884",
"datePublished": "2020-06-19T18:08:48",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-14452
Vulnerability from cvelistv5
Published
2020-06-19 13:09
Modified
2024-08-04 12:46
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.21.0. mmctl allows directory traversal via HTTP, aka MMSA-2020-0014.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:46:34.538Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.21.0. mmctl allows directory traversal via HTTP, aka MMSA-2020-0014."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T13:09:31",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-14452",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.21.0. mmctl allows directory traversal via HTTP, aka MMSA-2020-0014."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-14452",
"datePublished": "2020-06-19T13:09:31",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-04T12:46:34.538Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-52032
Vulnerability from cvelistv5
Published
2024-11-09 17:19
Modified
2024-11-12 14:52
Severity ?
EPSS score ?
Summary
Mattermost versions 10.0.x <= 10.0.0 and 9.11.x <= 9.11.2 fail to properly query ElasticSearch when searching for the channel name in channel switcher which allows an attacker to get private channels names of channels that they are not a member of, when Elasticsearch v8 was enabled.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 10.0.0 Version: 9.11.0 ≤ 9.11.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52032",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T14:51:56.470956Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T14:52:07.690Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "10.0.0"
},
{
"lessThanOrEqual": "9.11.2",
"status": "affected",
"version": "9.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "10.1.0"
},
{
"status": "unaffected",
"version": "10.0.1"
},
{
"status": "unaffected",
"version": "9.11.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Adrian (thiefmaster)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 10.0.x \u0026lt;= 10.0.0 and 9.11.x \u0026lt;= 9.11.2 fail to properly query ElasticSearch when\u0026nbsp;searching for the channel name in channel switcher\u0026nbsp;which allows an attacker to get private channels names of channels that they are not a member of,\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003ewhen Elasticsearch v8 was enabled.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Mattermost versions 10.0.x \u003c= 10.0.0 and 9.11.x \u003c= 9.11.2 fail to properly query ElasticSearch when\u00a0searching for the channel name in channel switcher\u00a0which allows an attacker to get private channels names of channels that they are not a member of,\u00a0when Elasticsearch v8 was enabled."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-09T17:19:35.639Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 10.1.0, 10.0.1, 9.11.3 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 10.1.0, 10.0.1, 9.11.3 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00385",
"defect": [
"https://mattermost.atlassian.net/browse/MM-60649"
],
"discovery": "EXTERNAL"
},
"title": "Private channel names leaking when Elasticsearch is enabled",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-52032",
"datePublished": "2024-11-09T17:19:35.639Z",
"dateReserved": "2024-11-05T09:14:34.860Z",
"dateUpdated": "2024-11-12T14:52:07.690Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-1332
Vulnerability from cvelistv5
Published
2022-04-13 17:06
Modified
2024-12-06 23:09
Severity ?
EPSS score ?
Summary
One of the API in Mattermost version 6.4.1 and earlier fails to properly protect the permissions, which allows the authenticated members with restricted custom admin role to bypass the restrictions and view the server logs and server config.json file contents.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 6.4 < 6.4.2 Version: 6.3 < 6.3.5 Version: 6.2 < 6.2.5 Version: 5.37 < 5.37.9 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:03:05.448Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-1332",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T22:53:04.437714Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T23:09:44.384Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Mattermost",
"vendor": "Mattermost ",
"versions": [
{
"lessThan": "6.4.2",
"status": "affected",
"version": "6.4",
"versionType": "custom"
},
{
"lessThan": "6.3.5",
"status": "affected",
"version": "6.3",
"versionType": "custom"
},
{
"lessThan": "6.2.5",
"status": "affected",
"version": "6.2",
"versionType": "custom"
},
{
"lessThan": "5.37.9",
"status": "affected",
"version": "5.37",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"descriptions": [
{
"lang": "en",
"value": "One of the API in Mattermost version 6.4.1 and earlier fails to properly protect the permissions, which allows the authenticated members with restricted custom admin role to bypass the restrictions and view the server logs and server config.json file contents."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Information Exposure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-13T17:06:03",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to version v6.4.2, 6.3.5, 6.2.5, or 5.37.9, depending on the minor version being run"
}
],
"source": {
"advisory": "MMSA-2022-0094",
"defect": [
"https://mattermost.atlassian.net/browse/MM-42271"
],
"discovery": "INTERNAL"
},
"title": "Restricted custom admin role can bypass the restrictions and view the server logs and server config.json file contents",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsibledisclosure@mattermost.com",
"ID": "CVE-2022-1332",
"STATE": "PUBLIC",
"TITLE": "Restricted custom admin role can bypass the restrictions and view the server logs and server config.json file contents"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mattermost",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "6.4",
"version_value": "6.4.2"
},
{
"version_affected": "\u003c",
"version_name": "6.3",
"version_value": "6.3.5"
},
{
"version_affected": "\u003c",
"version_name": "6.2",
"version_value": "6.2.5"
},
{
"version_affected": "\u003c",
"version_name": "5.37",
"version_value": "5.37.9"
}
]
}
}
]
},
"vendor_name": "Mattermost "
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "One of the API in Mattermost version 6.4.1 and earlier fails to properly protect the permissions, which allows the authenticated members with restricted custom admin role to bypass the restrictions and view the server logs and server config.json file contents."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 Information Exposure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "MISC",
"url": "https://mattermost.com/security-updates/"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update Mattermost to version v6.4.2, 6.3.5, 6.2.5, or 5.37.9, depending on the minor version being run"
}
],
"source": {
"advisory": "MMSA-2022-0094",
"defect": [
"https://mattermost.atlassian.net/browse/MM-42271"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2022-1332",
"datePublished": "2022-04-13T17:06:03",
"dateReserved": "2022-04-13T00:00:00",
"dateUpdated": "2024-12-06T23:09:44.384Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-3582
Vulnerability from cvelistv5
Published
2023-07-17 15:21
Modified
2024-10-21 19:59
Severity ?
EPSS score ?
Summary
Mattermost fails to verify channel membership when linking a board to a channel allowing a low-privileged authenticated user to link a Board to a private channel they don't have access to,
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 7.8.6 Version: 0 ≤ 7.9.4 Version: 0 ≤ 7.10.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:01:56.026Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3582",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T19:54:43.364581Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T19:59:17.695Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.6",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.9.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.10.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.10.3"
},
{
"status": "unaffected",
"version": "7.9.5"
},
{
"status": "unaffected",
"version": "7.8.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Ossi V\u00e4\u00e4n\u00e4nen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to verify channel membership when linking a board to a channel allowing a low-privileged authenticated user to link a Board to a private channel they don\u0027t have access to,\u0026nbsp;\u003c/p\u003e"
}
],
"value": "Mattermost fails to verify channel membership when linking a board to a channel allowing a low-privileged authenticated user to link a Board to a private channel they don\u0027t have access to,\u00a0\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-17T15:21:35.038Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions v7.8.7,\u0026nbsp;v7.9.5,\u0026nbsp;v7.10.3\u0026nbsp;or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions v7.8.7,\u00a0v7.9.5,\u00a0v7.10.3\u00a0or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00147",
"defect": [
"https://mattermost.atlassian.net/browse/MM-51062"
],
"discovery": "INTERNAL"
},
"title": "Lack of channel membership check when linking a board to a channel",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-3582",
"datePublished": "2023-07-17T15:21:35.038Z",
"dateReserved": "2023-07-10T12:41:59.203Z",
"dateUpdated": "2024-10-21T19:59:17.695Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-27266
Vulnerability from cvelistv5
Published
2023-02-27 14:46
Modified
2024-12-06 23:06
Severity ?
EPSS score ?
Summary
Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the /api/v4/users/me/teams API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 5.12.0 ≤ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:09:42.317Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-27266",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T22:52:16.745155Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T23:06:25.577Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThan": "7.7.0",
"status": "affected",
"version": "5.12.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "foobar7"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eMattermost fails to honor the ShowEmailAddress setting when constructing a response to the /api/v4/users/me/teams API endpoint, allowing an attacker with team admin privileges to learn the team owner\u0027s email address in the response.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the /api/v4/users/me/teams API endpoint, allowing an attacker with team admin privileges to learn the team owner\u0027s email address in the response.\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-27T14:46:28.880Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost to version 7.7.0 or higher.\u003cbr\u003e"
}
],
"value": "Update Mattermost to version 7.7.0 or higher.\n"
}
],
"source": {
"advisory": "MMSA-2023-00132",
"defect": [
"https://mattermost.atlassian.net/browse/MM-47983"
],
"discovery": "EXTERNAL"
},
"title": "Disclosure of team owner email address when when accessing the teams API",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-27266",
"datePublished": "2023-02-27T14:46:28.880Z",
"dateReserved": "2023-02-27T14:31:01.786Z",
"dateUpdated": "2024-12-06T23:06:25.577Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18882
Vulnerability from cvelistv5
Published
2020-06-19 18:08
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS can occur via OpenGraph data.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.343Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS can occur via OpenGraph data."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T18:08:46",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18882",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS can occur via OpenGraph data."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18882",
"datePublished": "2020-06-19T18:08:46",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.343Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20879
Vulnerability from cvelistv5
Published
2020-06-19 16:29
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6.5, and 4.10.7. Changes to e-mail addresses do not require credential re-entry.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.541Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6.5, and 4.10.7. Changes to e-mail addresses do not require credential re-entry."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T16:29:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20879",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6.5, and 4.10.7. Changes to e-mail addresses do not require credential re-entry."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20879",
"datePublished": "2020-06-19T16:29:00",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.541Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-2445
Vulnerability from cvelistv5
Published
2024-03-15 09:19
Modified
2024-08-01 19:11
Severity ?
EPSS score ?
Summary
Mattermost Jira plugin versions shipped with Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to escape user-controlled outputs when generating HTML pages, which allows an attacker to perform reflected cross-site scripting attacks against the users of the Mattermost server.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 9.4.0 ≤ 9.4.2 Version: 9.3.0 ≤ 9.3.1 Version: 9.2.0 ≤ 9.2.5 Version: 8.1.0 ≤ 8.1.9 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2445",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-18T18:53:41.753419Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:30:11.664Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:11:53.602Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.4.2",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.3.1",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.2.5",
"status": "affected",
"version": "9.2.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.9",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.5.0"
},
{
"status": "unaffected",
"version": "9.4.3"
},
{
"status": "unaffected",
"version": "9.3.2"
},
{
"status": "unaffected",
"version": "9.2.6"
},
{
"status": "unaffected",
"version": "8.1.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Nurminen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost Jira plugin versions shipped with Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to escape user-controlled outputs when generating HTML pages, which allows an attacker to perform reflected cross-site scripting attacks against the users of the Mattermost server.\u003c/p\u003e"
}
],
"value": "Mattermost Jira plugin versions shipped with Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to escape user-controlled outputs when generating HTML pages, which allows an attacker to perform reflected cross-site scripting attacks against the users of the Mattermost server.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-15T09:19:50.127Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost to versions 8.1.0, 9.3.2, 9.4.3, 9.5.0 or higher."
}
],
"value": "Update Mattermost to versions 8.1.0, 9.3.2, 9.4.3, 9.5.0 or higher."
}
],
"source": {
"advisory": "MMSA-2023-00260",
"defect": [
"https://mattermost.atlassian.net/browse/MM-54921"
],
"discovery": "INTERNAL"
},
"title": "Reflected XSS in Mattermost Jira plugin",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-2445",
"datePublished": "2024-03-15T09:19:50.127Z",
"dateReserved": "2024-03-14T11:40:19.218Z",
"dateUpdated": "2024-08-01T19:11:53.602Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18891
Vulnerability from cvelistv5
Published
2020-06-19 18:08
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows Phishing because an error page can have a link.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.282Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows Phishing because an error page can have a link."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T18:08:50",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18891",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows Phishing because an error page can have a link."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18891",
"datePublished": "2020-06-19T18:08:50",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.282Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-14448
Vulnerability from cvelistv5
Published
2020-06-19 13:05
Modified
2024-08-04 12:46
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.23.0. Automatic direct message replies allow attackers to cause a denial of service (infinite loop), aka MMSA-2020-0020.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:46:34.326Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.23.0. Automatic direct message replies allow attackers to cause a denial of service (infinite loop), aka MMSA-2020-0020."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T13:05:34",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-14448",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.23.0. Automatic direct message replies allow attackers to cause a denial of service (infinite loop), aka MMSA-2020-0020."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-14448",
"datePublished": "2020-06-19T13:05:34",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-04T12:46:34.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-21261
Vulnerability from cvelistv5
Published
2020-06-19 16:51
Modified
2024-08-05 12:26
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.8.1, 4.7.4, and 4.6.3. An e-mail invite accidentally included the team invite_id, which leads to unintended excessive invitation privileges.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:26:39.570Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.8.1, 4.7.4, and 4.6.3. An e-mail invite accidentally included the team invite_id, which leads to unintended excessive invitation privileges."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T16:51:44",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-21261",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.8.1, 4.7.4, and 4.6.3. An e-mail invite accidentally included the team invite_id, which leads to unintended excessive invitation privileges."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-21261",
"datePublished": "2020-06-19T16:51:44",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T12:26:39.570Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-3593
Vulnerability from cvelistv5
Published
2023-07-17 15:38
Modified
2024-10-21 19:40
Severity ?
EPSS score ?
Summary
Mattermost fails to properly validate markdown, allowing an attacker to crash the server via a specially crafted markdown input.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 7.8.6 Version: 0 ≤ 7.9.4 Version: 0 ≤ 7.10.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:01:57.038Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3593",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T19:17:40.637350Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T19:40:56.331Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.6",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.9.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.10.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.7"
},
{
"status": "unaffected",
"version": "7.9.5"
},
{
"status": "unaffected",
"version": "7.10.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Juho Nurminen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to properly validate markdown, allowing an attacker to c\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003erash the server\u003c/span\u003e via a specially crafted markdown input.\u003c/p\u003e"
}
],
"value": "Mattermost fails to properly validate markdown, allowing an attacker to crash the server via a specially crafted markdown input.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-17T15:38:57.759Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost to versions v7.8.7,\u0026nbsp;v7.9.5, v7.10.3 or higher"
}
],
"value": "Update Mattermost to versions v7.8.7,\u00a0v7.9.5, v7.10.3 or higher"
}
],
"source": {
"advisory": "MMSA-2023-00185",
"defect": [
"https://mattermost.atlassian.net/browse/MM-52526"
],
"discovery": "INTERNAL"
},
"title": "Server crash via a specially crafted markdown input",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-3593",
"datePublished": "2023-07-17T15:38:57.759Z",
"dateReserved": "2023-07-10T15:18:02.205Z",
"dateUpdated": "2024-10-21T19:40:56.331Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-21263
Vulnerability from cvelistv5
Published
2020-06-19 16:45
Modified
2024-08-05 12:26
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. An attacker could authenticate to a different user's account via a crafted SAML response.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:26:39.602Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. An attacker could authenticate to a different user\u0027s account via a crafted SAML response."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T16:45:07",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-21263",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. An attacker could authenticate to a different user\u0027s account via a crafted SAML response."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-21263",
"datePublished": "2020-06-19T16:45:07",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T12:26:39.602Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18919
Vulnerability from cvelistv5
Published
2020-06-19 19:20
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 3.7.0 and 3.6.3. Attackers can use the API for unauthenticated team creation.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.450Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.7.0 and 3.6.3. Attackers can use the API for unauthenticated team creation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T19:20:39",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18919",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 3.7.0 and 3.6.3. Attackers can use the API for unauthenticated team creation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18919",
"datePublished": "2020-06-19T19:20:39",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.450Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-41162
Vulnerability from cvelistv5
Published
2024-08-01 14:05
Modified
2024-08-02 15:01
Severity ?
EPSS score ?
Summary
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow the modification of local channels by a remote, when shared channels are enabled, which allows a malicious remote to make an arbitrary local channel read-only.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 9.9.0 Version: 9.5.0 ≤ 9.5.6 Version: 9.7.0 ≤ 9.7.5 Version: 9.8.0 ≤ 9.8.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41162",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-02T14:45:25.763522Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T15:01:29.868Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "9.9.0"
},
{
"lessThanOrEqual": "9.5.6",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.7.5",
"status": "affected",
"version": "9.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.8.1",
"status": "affected",
"version": "9.8.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.10.0"
},
{
"status": "unaffected",
"version": "9.9.1"
},
{
"status": "unaffected",
"version": "9.5.7"
},
{
"status": "unaffected",
"version": "9.7.6"
},
{
"status": "unaffected",
"version": "9.8.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Fors\u00e9n"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.9.x \u0026lt;= 9.9.0, 9.5.x \u0026lt;= 9.5.6, 9.7.x \u0026lt;= 9.7.5 and 9.8.x \u0026lt;= 9.8.1 fail to disallow\u0026nbsp;the modification of local channels by a remote, when shared channels are enabled, which allows\u0026nbsp;a malicious remote to make an arbitrary local channel read-only.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.9.x \u003c= 9.9.0, 9.5.x \u003c= 9.5.6, 9.7.x \u003c= 9.7.5 and 9.8.x \u003c= 9.8.1 fail to disallow\u00a0the modification of local channels by a remote, when shared channels are enabled, which allows\u00a0a malicious remote to make an arbitrary local channel read-only."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T14:05:09.501Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.10.0, 9.9.1, 9.5.7, 9.7.6, 9.8.2 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.10.0, 9.9.1, 9.5.7, 9.7.6, 9.8.2 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00330",
"defect": [
"https://mattermost.atlassian.net/browse/MM-57868"
],
"discovery": "INTERNAL"
},
"title": "Malicious remote can make an arbitrary local channel read-only",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-41162",
"datePublished": "2024-08-01T14:05:09.501Z",
"dateReserved": "2024-07-23T17:55:45.298Z",
"dateUpdated": "2024-08-02T15:01:29.868Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-45316
Vulnerability from cvelistv5
Published
2023-12-12 08:23
Modified
2024-08-02 20:21
Severity ?
EPSS score ?
Summary
Mattermost fails to validate if a relative path is passed in /plugins/playbooks/api/v0/telemetry/run/<telem_run_id> as a telemetry run ID, allowing an attacker to use a path traversal payload that points to a different endpoint leading to a CSRF attack.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 9.1.2 Version: 0 ≤ 9.0.3 Version: 0 ≤ 8.1.5 Version: 0 ≤ 7.8.14 Version: 0 ≤ 9.2.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:21:15.671Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.0.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.8.14",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "8.1.6"
},
{
"status": "unaffected",
"version": "9.0.4"
},
{
"status": "unaffected",
"version": "9.1.3"
},
{
"status": "unaffected",
"version": "9.2.2"
},
{
"status": "unaffected",
"version": "7.8.15"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "DoyenSec"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to validate if a relative path is passed in /plugins/playbooks/api/v0/telemetry/run/\u0026lt;telem_run_id\u0026gt; as a telemetry run ID, allowing an attacker to use a path traversal payload that points to a different endpoint leading to a\u0026nbsp;CSRF attack.\u003c/p\u003e"
}
],
"value": "Mattermost fails to validate if a relative path is passed in /plugins/playbooks/api/v0/telemetry/run/\u003ctelem_run_id\u003e as a telemetry run ID, allowing an attacker to use a path traversal payload that points to a different endpoint leading to a\u00a0CSRF attack.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-12T08:23:17.299Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e7.8.15,\u0026nbsp;\u003c/span\u003e8.1.6, 9.0.4, 9.1.3, 9.2.2 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 7.8.15,\u00a08.1.6, 9.0.4, 9.1.3, 9.2.2 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00245",
"defect": [
"https://mattermost.atlassian.net/browse/MM-54363"
],
"discovery": "EXTERNAL"
},
"title": "Reflected client side path traversal leading to CSRF in Playbooks",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-45316",
"datePublished": "2023-12-12T08:23:17.299Z",
"dateReserved": "2023-12-05T08:22:34.306Z",
"dateUpdated": "2024-08-02T20:21:15.671Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-1774
Vulnerability from cvelistv5
Published
2023-03-31 11:14
Modified
2024-12-06 23:05
Severity ?
EPSS score ?
Summary
When processing an email invite to a private channel on a team, Mattermost fails to validate the inviter's permission to that channel, allowing an attacker to invite themselves to a private channel.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 7.7.1 Version: 0 ≤ 7.1.5 Version: 0 ≤ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:57:25.193Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-1774",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T22:52:03.365512Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T23:05:52.973Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.7.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.7.2"
},
{
"status": "unaffected",
"version": "7.8.0"
},
{
"status": "unaffected",
"version": "7.1.6"
},
{
"lessThanOrEqual": "7.1.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "7.8.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "hackit_BhaRat"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eWhen processing an email invite to a private channel on a team, Mattermost fails to validate the inviter\u0027s permission to that channel, allowing an attacker to invite themselves to a private channel.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "When processing an email invite to a private channel on a team, Mattermost fails to validate the inviter\u0027s permission to that channel, allowing an attacker to invite themselves to a private channel.\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-31T11:14:00.954Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost to version v7.8.0, v7.1.6, v7.7.2, or higher.\u003cbr\u003e"
}
],
"value": "Update Mattermost to version v7.8.0, v7.1.6, v7.7.2, or higher.\n"
}
],
"source": {
"advisory": "MMSA-2023-00137",
"defect": [
"https://mattermost.atlassian.net/browse/MM-49813"
],
"discovery": "EXTERNAL"
},
"title": "Unauthorized email invite to a private channel",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-1774",
"datePublished": "2023-03-31T11:14:00.954Z",
"dateReserved": "2023-03-31T11:12:43.830Z",
"dateUpdated": "2024-12-06T23:05:52.973Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-3586
Vulnerability from cvelistv5
Published
2023-07-17 15:25
Modified
2024-10-22 13:40
Severity ?
EPSS score ?
Summary
Mattermost fails to disable public Boards after the "Enable Publicly-Shared Boards" configuration option is disabled, resulting in previously-shared public Boards to remain accessible.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 7.8.6 Version: 0 ≤ 7.9.4 Version: 0 ≤ 7.10.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:01:57.547Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3586",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T13:32:51.306394Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T13:40:29.225Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.6",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.9.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.10.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.7"
},
{
"status": "unaffected",
"version": "7.9.5"
},
{
"status": "unaffected",
"version": "7.10.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Daniel Pallinger (danipalli)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to disable\u0026nbsp;public Boards after the \"Enable Publicly-Shared Boards\" configuration option is disabled, resulting in\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003epreviously-shared\u0026nbsp;public Boards to remain accessible.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Mattermost fails to disable\u00a0public Boards after the \"Enable Publicly-Shared Boards\" configuration option is disabled, resulting in\u00a0previously-shared\u00a0public Boards to remain accessible.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-17T15:25:30.532Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions v7.8.7,\u0026nbsp;v7.9.5,\u0026nbsp;v7.10.3 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions v7.8.7,\u00a0v7.9.5,\u00a0v7.10.3 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00176",
"defect": [
"https://mattermost.atlassian.net/browse/MM-51820"
],
"discovery": "EXTERNAL"
},
"title": " Disabling publicly-shared boards does not disable existing publicly available board links",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-3586",
"datePublished": "2023-07-17T15:25:30.532Z",
"dateReserved": "2023-07-10T13:57:18.062Z",
"dateUpdated": "2024-10-22T13:40:29.225Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20887
Vulnerability from cvelistv5
Published
2020-06-19 16:39
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.7.1, 5.6.4, 5.5.3, and 4.10.6. It does not honor flags API permissions when deciding whether a user can receive intra-team posts.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.598Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.7.1, 5.6.4, 5.5.3, and 4.10.6. It does not honor flags API permissions when deciding whether a user can receive intra-team posts."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T16:39:39",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20887",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.7.1, 5.6.4, 5.5.3, and 4.10.6. It does not honor flags API permissions when deciding whether a user can receive intra-team posts."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20887",
"datePublished": "2020-06-19T16:39:39",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.598Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-21249
Vulnerability from cvelistv5
Published
2020-06-19 16:47
Modified
2024-08-05 12:26
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.3.0. It mishandles timing.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:26:39.600Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.3.0. It mishandles timing."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T16:47:49",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-21249",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.3.0. It mishandles timing."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-21249",
"datePublished": "2020-06-19T16:47:49",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T12:26:39.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-37862
Vulnerability from cvelistv5
Published
2021-12-17 16:10
Modified
2024-08-04 01:30
Severity ?
EPSS score ?
Summary
Mattermost 6.0 and earlier fails to sufficiently validate the email address during registration, which allows attackers to trick users into signing up using attacker-controlled email addresses via crafted invitation token.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_MISC | |
| https://hackerone.com/reports/1357013 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:30:09.135Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/1357013"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mattermost ",
"vendor": "Mattermost ",
"versions": [
{
"lessThanOrEqual": "6.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost 6.0 and earlier fails to sufficiently validate the email address during registration, which allows attackers to trick users into signing up using attacker-controlled email addresses via crafted invitation token."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-17T16:10:29",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mattermost.com/security-updates/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/1357013"
}
],
"source": {
"advisory": "MMSA-2021-0074",
"defect": [
"https://mattermost.atlassian.net/browse/MM-39205"
],
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsibledisclosure@mattermost.com",
"ID": "CVE-2021-37862",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mattermost ",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "6.0"
}
]
}
}
]
},
"vendor_name": "Mattermost "
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Mattermost 6.0 and earlier fails to sufficiently validate the email address during registration, which allows attackers to trick users into signing up using attacker-controlled email addresses via crafted invitation token."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-754 Improper Check for Unusual or Exceptional Conditions"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "MISC",
"url": "https://mattermost.com/security-updates/"
},
{
"name": "https://hackerone.com/reports/1357013",
"refsource": "MISC",
"url": "https://hackerone.com/reports/1357013"
}
]
},
"source": {
"advisory": "MMSA-2021-0074",
"defect": [
"https://mattermost.atlassian.net/browse/MM-39205"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2021-37862",
"datePublished": "2021-12-17T16:10:29",
"dateReserved": "2021-08-02T00:00:00",
"dateUpdated": "2024-08-04T01:30:09.135Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-24774
Vulnerability from cvelistv5
Published
2024-02-09 14:46
Modified
2024-08-21 15:26
Severity ?
EPSS score ?
Summary
Mattermost Jira Plugin handling subscriptions fails to check the security level of an incoming issue or limit it based on the user who created the subscription resulting in registered users on Jira being able to create webhooks that give them access to all Jira issues.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 8.1.7 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:28:12.325Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-24774",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-21T15:25:20.905486Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T15:26:06.746Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.7",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "8.1.8"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Michael Kochell"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost Jira Plugin handling subscriptions fails to check the security level of an incoming issue or limit it based on the user who created the subscription resulting in\u0026nbsp;registered users on Jira being able to create webhooks that give them access to all Jira issues.\u003c/p\u003e"
}
],
"value": "Mattermost Jira Plugin handling subscriptions fails to check the security level of an incoming issue or limit it based on the user who created the subscription resulting in\u00a0registered users on Jira being able to create webhooks that give them access to all Jira issues.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-09T14:46:58.777Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 8.1.8 or higher. Alternatively, update the Mattermost Jira Plugin to version\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e4.0.1 or higher.\u0026nbsp;\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 8.1.8 or higher. Alternatively, update the Mattermost Jira Plugin to version\u00a04.0.1 or higher.\u00a0\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00187",
"defect": [
"https://mattermost.atlassian.net/browse/MM-44212"
],
"discovery": "EXTERNAL"
},
"title": "Missing authorization allows users to access arbitrary security levels on Jira through webhooks (Jira Plugin)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-24774",
"datePublished": "2024-02-09T14:46:58.777Z",
"dateReserved": "2024-01-30T10:23:06.701Z",
"dateUpdated": "2024-08-21T15:26:06.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-1776
Vulnerability from cvelistv5
Published
2023-03-31 11:29
Modified
2024-12-06 23:05
Severity ?
EPSS score ?
Summary
Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 3.3.0 ≤ 7.7.1 Version: 3.3.0 ≤ 7.1.5 Version: 3.3.0 ≤ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:57:25.242Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-1776",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T22:55:49.006699Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T23:05:30.076Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.7.1",
"status": "affected",
"version": "3.3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.1.5",
"status": "affected",
"version": "3.3.0",
"versionType": "semver"
},
{
"lessThan": "7.8.0",
"status": "affected",
"version": "3.3.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.0"
},
{
"status": "unaffected",
"version": "7.7.2"
},
{
"status": "unaffected",
"version": "7.1.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Veshraj Ghimire (ghimire_veshraj)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eBoards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file.\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-31T11:29:36.185Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost to version v7.8.0, v7.1.6, v7.7.2, or higher.\u003cbr\u003e"
}
],
"value": "Update Mattermost to version v7.8.0, v7.1.6, v7.7.2, or higher.\n"
}
],
"source": {
"advisory": "MMSA-2023-00139",
"defect": [
"https://mattermost.atlassian.net/browse/MM-50167"
],
"discovery": "EXTERNAL"
},
"title": "Stored XSS via SVG attachment on Boards",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-1776",
"datePublished": "2023-03-31T11:29:36.185Z",
"dateReserved": "2023-03-31T11:29:24.127Z",
"dateUpdated": "2024-12-06T23:05:30.076Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18902
Vulnerability from cvelistv5
Published
2020-06-19 18:43
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.288Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T18:43:20",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18902",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18902",
"datePublished": "2020-06-19T18:43:20",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.288Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18888
Vulnerability from cvelistv5
Published
2020-06-19 18:10
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows SQL injection during the fetching of multiple posts.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.299Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows SQL injection during the fetching of multiple posts."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T18:10:58",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18888",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows SQL injection during the fetching of multiple posts."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18888",
"datePublished": "2020-06-19T18:10:58",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.299Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20873
Vulnerability from cvelistv5
Published
2020-06-19 15:24
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information during user activation/deactivation.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.459Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information during user activation/deactivation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T15:24:13",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20873",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information during user activation/deactivation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20873",
"datePublished": "2020-06-19T15:24:13",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.459Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20871
Vulnerability from cvelistv5
Published
2020-06-19 15:22
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. The Markdown library allows catastrophic backtracking.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.535Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. The Markdown library allows catastrophic backtracking."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T15:22:39",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20871",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. The Markdown library allows catastrophic backtracking."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20871",
"datePublished": "2020-06-19T15:22:39",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.535Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20870
Vulnerability from cvelistv5
Published
2020-06-19 15:21
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.10.0. An attacker can bypass the intended appearance of the Edited flag after changing a post's file ID.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.364Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.10.0. An attacker can bypass the intended appearance of the Edited flag after changing a post\u0027s file ID."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T15:21:54",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20870",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.10.0. An attacker can bypass the intended appearance of the Edited flag after changing a post\u0027s file ID."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20870",
"datePublished": "2020-06-19T15:21:54",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18910
Vulnerability from cvelistv5
Published
2020-06-19 18:45
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. E-mail notifications can have spoofed links.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.297Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. E-mail notifications can have spoofed links."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T18:45:56",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18910",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. E-mail notifications can have spoofed links."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18910",
"datePublished": "2020-06-19T18:45:56",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-2515
Vulnerability from cvelistv5
Published
2023-05-12 08:53
Modified
2024-12-06 23:04
Severity ?
EPSS score ?
Summary
Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 7.1.7 Version: 0 ≤ 7.7.3 Version: 0 ≤ 7.8.2 Version: 0 ≤ 7.9.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:26:09.153Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2515",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T22:51:44.100352Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T23:04:24.695Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.1.7",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.7.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.8.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.9.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.1.8"
},
{
"status": "unaffected",
"version": "7.7.4"
},
{
"status": "unaffected",
"version": "7.8.3"
},
{
"status": "unaffected",
"version": "7.9.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Eva Sarafianou"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin\u003cbr\u003e"
}
],
"value": "Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-12T08:53:44.111Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost Server to versions 7.1.8, 7.7.4, 7.8.3, 7.9.2 or higher.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Update Mattermost Server to versions 7.1.8, 7.7.4, 7.8.3, 7.9.2 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00162",
"defect": [
"https://mattermost.atlassian.net/browse/MM-51723"
],
"discovery": "INTERNAL"
},
"title": "Privilege escalation to system admin via personal access tokens",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-2515",
"datePublished": "2023-05-12T08:53:44.111Z",
"dateReserved": "2023-05-04T11:36:47.883Z",
"dateUpdated": "2024-12-06T23:04:24.695Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20877
Vulnerability from cvelistv5
Published
2020-06-19 16:28
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information about whether someone has 2FA enabled.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.368Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information about whether someone has 2FA enabled."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T16:28:20",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20877",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information about whether someone has 2FA enabled."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20877",
"datePublished": "2020-06-19T16:28:20",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.368Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-42406
Vulnerability from cvelistv5
Published
2024-09-26 08:04
Modified
2024-09-26 13:11
Severity ?
EPSS score ?
Summary
Mattermost versions 9.11.x <= 9.11.0, 9.10.x <= 9.10.1, 9.9.x <= 9.9.2 and 9.5.x <= 9.5.8 fail to properly authorize requests when viewing archived channels is disabled, which allows an attacker to retrieve post and file information about archived channels. Examples are flagged or unread posts as well as files.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 9.11.0 Version: 9.10.0 ≤ 9.10.1 Version: 9.9.0 ≤ 9.9.2 Version: 9.5.0 ≤ 9.5.8 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42406",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T13:11:20.126365Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T13:11:34.682Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "9.11.0"
},
{
"lessThanOrEqual": "9.10.1",
"status": "affected",
"version": "9.10.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.9.2",
"status": "affected",
"version": "9.9.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.5.8",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "10.0.0"
},
{
"status": "unaffected",
"version": "9.11.1"
},
{
"status": "unaffected",
"version": "9.10.2"
},
{
"status": "unaffected",
"version": "9.9.3"
},
{
"status": "unaffected",
"version": "9.5.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Daniel Espino Garcia"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.11.x \u0026lt;= 9.11.0, 9.10.x \u0026lt;= 9.10.1, 9.9.x \u0026lt;= 9.9.2 and 9.5.x \u0026lt;= 9.5.8 fail to properly authorize requests when viewing archived channels is disabled, which allows\u0026nbsp;an attacker to retrieve post and file information about archived channels. Examples are flagged or unread posts as well as files.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.11.x \u003c= 9.11.0, 9.10.x \u003c= 9.10.1, 9.9.x \u003c= 9.9.2 and 9.5.x \u003c= 9.5.8 fail to properly authorize requests when viewing archived channels is disabled, which allows\u00a0an attacker to retrieve post and file information about archived channels. Examples are flagged or unread posts as well as files."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T08:04:22.939Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 10.0.0, 9.11.1, 9.10.2, 9.9.3, 9.5.9 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 10.0.0, 9.11.1, 9.10.2, 9.9.3, 9.5.9 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00351",
"defect": [
"https://mattermost.atlassian.net/browse/MM-58491"
],
"discovery": "INTERNAL"
},
"title": "Unauthorized access on archived channels",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-42406",
"datePublished": "2024-09-26T08:04:22.939Z",
"dateReserved": "2024-09-23T07:55:36.322Z",
"dateUpdated": "2024-09-26T13:11:34.682Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-11081
Vulnerability from cvelistv5
Published
2020-06-19 19:29
Modified
2024-08-06 03:47
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 2.2.0. It allows unintended access to information stored by a web browser.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:47:34.909Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 2.2.0. It allows unintended access to information stored by a web browser."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T19:29:13",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-11081",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 2.2.0. It allows unintended access to information stored by a web browser."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-11081",
"datePublished": "2020-06-19T19:29:13",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-06T03:47:34.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20876
Vulnerability from cvelistv5
Published
2020-06-19 16:22
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. Users can deactivate themselves, bypassing a policy.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.458Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. Users can deactivate themselves, bypassing a policy."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T16:22:57",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20876",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. Users can deactivate themselves, bypassing a policy."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20876",
"datePublished": "2020-06-19T16:22:57",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.458Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20888
Vulnerability from cvelistv5
Published
2020-06-19 16:46
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It allows attackers to cause a denial of service (memory consumption) via an outgoing webhook or a slash command integration.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.641Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It allows attackers to cause a denial of service (memory consumption) via an outgoing webhook or a slash command integration."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T16:46:39",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20888",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It allows attackers to cause a denial of service (memory consumption) via an outgoing webhook or a slash command integration."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20888",
"datePublished": "2020-06-19T16:46:39",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.641Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20847
Vulnerability from cvelistv5
Published
2020-06-19 13:31
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.18.0. An attacker can send a user_typing WebSocket event to any channel.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.195Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.18.0. An attacker can send a user_typing WebSocket event to any channel."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T13:31:36",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20847",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.18.0. An attacker can send a user_typing WebSocket event to any channel."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20847",
"datePublished": "2020-06-19T13:31:36",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.195Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-11069
Vulnerability from cvelistv5
Published
2020-06-19 19:25
Modified
2024-08-06 03:47
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 3.2.0. It mishandles brute-force attempts at password change.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:47:34.587Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.2.0. It mishandles brute-force attempts at password change."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T19:25:13",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-11069",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 3.2.0. It mishandles brute-force attempts at password change."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-11069",
"datePublished": "2020-06-19T19:25:13",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-06T03:47:34.587Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18875
Vulnerability from cvelistv5
Published
2020-06-19 16:47
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can create arbitrary files.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.306Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can create arbitrary files."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T16:47:13",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18875",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can create arbitrary files."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18875",
"datePublished": "2020-06-19T16:47:13",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.306Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20857
Vulnerability from cvelistv5
Published
2020-06-19 14:10
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.16.0. It allows attackers to cause a denial of service (markdown renderer hang) via many backtick characters.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.440Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.16.0. It allows attackers to cause a denial of service (markdown renderer hang) via many backtick characters."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T14:10:50",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20857",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.16.0. It allows attackers to cause a denial of service (markdown renderer hang) via many backtick characters."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20857",
"datePublished": "2020-06-19T14:10:50",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.440Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20884
Vulnerability from cvelistv5
Published
2020-06-19 16:42
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.8.0. It allows attackers to partially attach a file to more than one post.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.448Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.8.0. It allows attackers to partially attach a file to more than one post."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T16:42:05",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20884",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.8.0. It allows attackers to partially attach a file to more than one post."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20884",
"datePublished": "2020-06-19T16:42:05",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.448Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-14458
Vulnerability from cvelistv5
Published
2020-06-19 13:14
Modified
2024-08-04 12:46
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.19.0. Attackers can discover private channels via the "get channel by name" API, aka MMSA-2020-0004.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:46:34.547Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.19.0. Attackers can discover private channels via the \"get channel by name\" API, aka MMSA-2020-0004."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T13:14:22",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-14458",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.19.0. Attackers can discover private channels via the \"get channel by name\" API, aka MMSA-2020-0004."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-14458",
"datePublished": "2020-06-19T13:14:22",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-04T12:46:34.547Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-1385
Vulnerability from cvelistv5
Published
2022-04-19 20:26
Modified
2024-12-06 23:09
Severity ?
EPSS score ?
Summary
Mattermost 6.4.x and earlier fails to properly invalidate pending email invitations when the action is performed from the system console, which allows accidentally invited users to join the workspace and access information from the public teams and channels.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_MISC | |
| https://hackerone.com/reports/1486820 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: unspecified < 6.5.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:03:06.033Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/1486820"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-1385",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T22:53:01.351181Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T23:09:33.235Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThan": "6.5.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to mr_anon (mr_anksec) for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost 6.4.x and earlier fails to properly invalidate pending email invitations when the action is performed from the system console, which allows accidentally invited users to join the workspace and access information from the public teams and channels."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-664",
"description": "CWE-664 Improper Control of a Resource Through its Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-19T20:26:27",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mattermost.com/security-updates/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/1486820"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to version v6.5 or higher"
}
],
"source": {
"advisory": "MMSA-2022-0092",
"defect": [
"https://mattermost.atlassian.net/browse/MM-42026"
],
"discovery": "EXTERNAL"
},
"title": "Invitation Email is resent as a Reminder after invalidating pending email invites",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsibledisclosure@mattermost.com",
"ID": "CVE-2022-1385",
"STATE": "PUBLIC",
"TITLE": "Invitation Email is resent as a Reminder after invalidating pending email invites"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mattermost",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "6.5.0"
}
]
}
}
]
},
"vendor_name": "Mattermost"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thanks to mr_anon (mr_anksec) for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Mattermost 6.4.x and earlier fails to properly invalidate pending email invitations when the action is performed from the system console, which allows accidentally invited users to join the workspace and access information from the public teams and channels."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-664 Improper Control of a Resource Through its Lifetime"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "MISC",
"url": "https://mattermost.com/security-updates/"
},
{
"name": "https://hackerone.com/reports/1486820",
"refsource": "MISC",
"url": "https://hackerone.com/reports/1486820"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update Mattermost to version v6.5 or higher"
}
],
"source": {
"advisory": "MMSA-2022-0092",
"defect": [
"https://mattermost.atlassian.net/browse/MM-42026"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2022-1385",
"datePublished": "2022-04-19T20:26:27",
"dateReserved": "2022-04-18T00:00:00",
"dateUpdated": "2024-12-06T23:09:33.235Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-14459
Vulnerability from cvelistv5
Published
2020-06-19 13:15
Modified
2024-08-04 12:46
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.19.0. Attackers can rename a channel and cause a collision with a direct message, aka MMSA-2020-0002.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:46:34.668Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.19.0. Attackers can rename a channel and cause a collision with a direct message, aka MMSA-2020-0002."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T13:15:13",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-14459",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.19.0. Attackers can rename a channel and cause a collision with a direct message, aka MMSA-2020-0002."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-14459",
"datePublished": "2020-06-19T13:15:13",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-04T12:46:34.668Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20860
Vulnerability from cvelistv5
Published
2020-06-19 14:14
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.14.0, 5.13.3, 5.12.6, and 5.9.4. It allows remote attackers to cause a denial of service (application hang) via a crafted SVG document.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.427Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.14.0, 5.13.3, 5.12.6, and 5.9.4. It allows remote attackers to cause a denial of service (application hang) via a crafted SVG document."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T14:14:57",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20860",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.14.0, 5.13.3, 5.12.6, and 5.9.4. It allows remote attackers to cause a denial of service (application hang) via a crafted SVG document."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20860",
"datePublished": "2020-06-19T14:14:57",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-11079
Vulnerability from cvelistv5
Published
2020-06-19 19:28
Modified
2024-08-06 03:47
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a redirect URL.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:47:34.776Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a redirect URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T19:28:42",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-11079",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a redirect URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-11079",
"datePublished": "2020-06-19T19:28:42",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-06T03:47:34.776Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-21262
Vulnerability from cvelistv5
Published
2020-06-19 16:51
Modified
2024-08-05 12:26
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.7.3. It allows attackers to cause a denial of service (application crash) via invalid LaTeX text.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:26:39.587Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.7.3. It allows attackers to cause a denial of service (application crash) via invalid LaTeX text."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T16:51:43",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-21262",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.7.3. It allows attackers to cause a denial of service (application crash) via invalid LaTeX text."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-21262",
"datePublished": "2020-06-19T16:51:43",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T12:26:39.587Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-0903
Vulnerability from cvelistv5
Published
2022-03-09 15:17
Modified
2024-12-06 23:10
Severity ?
EPSS score ?
Summary
A call stack overflow bug in the SAML login feature in Mattermost server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted POST body.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 6.3 < 6.3.3 Version: 6.2 < 6.2.3 Version: 6.1 < 6.1.3 Version: 5.37 < 5.37.8 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:47:42.124Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-0903",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T22:57:54.573092Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T23:10:52.487Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThan": "6.3.3",
"status": "affected",
"version": "6.3",
"versionType": "custom"
},
{
"lessThan": "6.2.3",
"status": "affected",
"version": "6.2",
"versionType": "custom"
},
{
"lessThan": "6.1.3",
"status": "affected",
"version": "6.1",
"versionType": "custom"
},
{
"lessThan": "5.37.8",
"status": "affected",
"version": "5.37",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"descriptions": [
{
"lang": "en",
"value": "A call stack overflow bug in the SAML login feature in Mattermost server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted POST body."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Call stack overflow / goroutine stack overflow",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-09T15:17:27",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"value": "Update the Mattermost version to v6.3.3, 6.2.3, 6.1.3, or 5.37.8, depending on the minor version being run"
}
],
"source": {
"advisory": "MMSA-2022-0087",
"defect": [
"https://mattermost.atlassian.net/browse/MM-41263"
],
"discovery": "UNKNOWN"
},
"title": "Stack overflow in SAML login in Mattermost",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsibledisclosure@mattermost.com",
"ID": "CVE-2022-0903",
"STATE": "PUBLIC",
"TITLE": "Stack overflow in SAML login in Mattermost"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mattermost",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "6.3",
"version_value": "6.3.3"
},
{
"version_affected": "\u003c",
"version_name": "6.2",
"version_value": "6.2.3"
},
{
"version_affected": "\u003c",
"version_name": "6.1",
"version_value": "6.1.3"
},
{
"version_affected": "\u003c",
"version_name": "5.37",
"version_value": "5.37.8"
}
]
}
}
]
},
"vendor_name": "Mattermost"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A call stack overflow bug in the SAML login feature in Mattermost server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted POST body."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Call stack overflow / goroutine stack overflow"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "MISC",
"url": "https://mattermost.com/security-updates/"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update the Mattermost version to v6.3.3, 6.2.3, 6.1.3, or 5.37.8, depending on the minor version being run"
}
],
"source": {
"advisory": "MMSA-2022-0087",
"defect": [
"https://mattermost.atlassian.net/browse/MM-41263"
],
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2022-0903",
"datePublished": "2022-03-09T15:17:27",
"dateReserved": "2022-03-09T00:00:00",
"dateUpdated": "2024-12-06T23:10:52.487Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-21259
Vulnerability from cvelistv5
Published
2020-06-19 16:47
Modified
2024-08-05 12:26
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.10.1, 4.9.4, and 4.8.2. It allows attackers to cause a denial of service (application hang) via a malformed link in a channel.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:26:39.575Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.10.1, 4.9.4, and 4.8.2. It allows attackers to cause a denial of service (application hang) via a malformed link in a channel."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T16:47:10",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-21259",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.10.1, 4.9.4, and 4.8.2. It allows attackers to cause a denial of service (application hang) via a malformed link in a channel."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-21259",
"datePublished": "2020-06-19T16:47:10",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T12:26:39.575Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20854
Vulnerability from cvelistv5
Published
2020-06-19 14:05
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.17.0. It allows remote attackers to cause a denial of service (client-side application crash) via a LaTeX message.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.406Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.17.0. It allows remote attackers to cause a denial of service (client-side application crash) via a LaTeX message."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T14:05:45",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20854",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.17.0. It allows remote attackers to cause a denial of service (client-side application crash) via a LaTeX message."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20854",
"datePublished": "2020-06-19T14:05:45",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.406Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20865
Vulnerability from cvelistv5
Published
2020-06-19 15:12
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.12.0, 5.11.1, 5.10.2, 5.9.2, and 4.10.10. The login page allows CSRF.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.424Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.12.0, 5.11.1, 5.10.2, 5.9.2, and 4.10.10. The login page allows CSRF."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T15:12:28",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20865",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.12.0, 5.11.1, 5.10.2, 5.9.2, and 4.10.10. The login page allows CSRF."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20865",
"datePublished": "2020-06-19T15:12:28",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.424Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18887
Vulnerability from cvelistv5
Published
2020-06-19 18:10
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It discloses the team creator's e-mail address to members.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.311Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It discloses the team creator\u0027s e-mail address to members."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T18:10:59",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18887",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It discloses the team creator\u0027s e-mail address to members."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18887",
"datePublished": "2020-06-19T18:10:59",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.311Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-23319
Vulnerability from cvelistv5
Published
2024-02-09 14:42
Modified
2024-08-01 22:59
Severity ?
EPSS score ?
Summary
Mattermost Jira Plugin fails to protect against logout CSRF allowing an attacker to post a specially crafted message that would disconnect a user's Jira connection in Mattermost only by viewing the message.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 8.1.7 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23319",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-22T14:55:39.238454Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:45:50.541Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:59:32.207Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.7",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "8.1.8"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rohitesh Gupta"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Mattermost Jira Plugin fails to protect against logout CSRF allowing an attacker to post a specially crafted message that would disconnect a user\u0027s\u0026nbsp;Jira connection in Mattermost only by viewing the message."
}
],
"value": "Mattermost Jira Plugin fails to protect against logout CSRF allowing an attacker to post a specially crafted message that would disconnect a user\u0027s\u00a0Jira connection in Mattermost only by viewing the message."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-09T14:42:22.126Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 8.1.8 or higher. Alternatively, update the Mattermost Jira Plugin to versions v4.1.0\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 8.1.8 or higher. Alternatively, update the Mattermost Jira Plugin to versions v4.1.0\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00194",
"defect": [
"https://mattermost.atlassian.net/browse/MM-51921"
],
"discovery": "INTERNAL"
},
"title": "CSRF issue allows disconnecting a user\u0027s Jira connection through a simple post message (Jira Plugin)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-23319",
"datePublished": "2024-02-09T14:42:22.126Z",
"dateReserved": "2024-01-30T10:23:06.712Z",
"dateUpdated": "2024-08-01T22:59:32.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-23493
Vulnerability from cvelistv5
Published
2024-02-29 08:02
Modified
2024-08-01 23:06
Severity ?
EPSS score ?
Summary
Mattermost fails to properly authorize the requests fetching team associated AD/LDAP groups, allowing a user to fetch details of AD/LDAP groups of a team that they are not a member of.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 9.4.1 Version: 0 ≤ 9.3.0 Version: 0 ≤ 9.2.5 Version: 0 ≤ 8.1.8 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23493",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-06T16:06:51.577325Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:45:38.797Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:06:24.717Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.4.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.3.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.2.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.8",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.5.0"
},
{
"status": "unaffected",
"version": "9.4.2"
},
{
"status": "unaffected",
"version": "9.3.1"
},
{
"status": "unaffected",
"version": "9.2.5"
},
{
"status": "unaffected",
"version": "8.1.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "vultza (vultza)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to properly authorize the requests fetching\u0026nbsp;team associated AD/LDAP groups, allowing a user to fetch details of\u0026nbsp;AD/LDAP groups of a team that they are not a member of.\u0026nbsp;\u003c/p\u003e"
}
],
"value": "Mattermost fails to properly authorize the requests fetching\u00a0team associated AD/LDAP groups, allowing a user to fetch details of\u00a0AD/LDAP groups of a team that they are not a member of.\u00a0\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-29T08:02:32.128Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.5.0, 9.4.2, 9.3.1, 9.2.5, 8.1.9 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.5.0, 9.4.2, 9.3.1, 9.2.5, 8.1.9 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00284",
"defect": [
"https://mattermost.atlassian.net/browse/MM-55216"
],
"discovery": "EXTERNAL"
},
"title": " Team associated AD/LDAP Groups Leaked due to missing authorization",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-23493",
"datePublished": "2024-02-29T08:02:32.128Z",
"dateReserved": "2024-02-26T08:14:42.964Z",
"dateUpdated": "2024-08-01T23:06:24.717Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-50333
Vulnerability from cvelistv5
Published
2024-01-02 09:53
Modified
2024-08-02 22:16
Severity ?
EPSS score ?
Summary
Mattermost fails to update the permissions of the current session for a user who was just demoted to guest, allowing freshly demoted guests to change group names.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 9.2.2 Version: 0 ≤ 8.1.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:46.618Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.2.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.6",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "8.1.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Leandro Chaves (brdoors3)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to update the permissions of the current session for a user who was just demoted to guest, allowing\u0026nbsp;freshly demoted guests to change group names.\u003c/p\u003e"
}
],
"value": "Mattermost fails to update the permissions of the current session for a user who was just demoted to guest, allowing\u00a0freshly demoted guests to change group names.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-02T09:53:01.990Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 8.1.7, 9.3.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 8.1.7, 9.3.0 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00263",
"defect": [
"https://mattermost.atlassian.net/browse/MM-54773"
],
"discovery": "EXTERNAL"
},
"title": "Lack of restriction to manage group names for freshly demoted guests",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-50333",
"datePublished": "2024-01-02T09:53:01.990Z",
"dateReserved": "2023-12-21T08:00:43.432Z",
"dateUpdated": "2024-08-02T22:16:46.618Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18870
Vulnerability from cvelistv5
Published
2020-06-19 16:47
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, and 4.3.4. It mishandled webhook access control in the EnableOnlyAdminIntegrations case.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.354Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, and 4.3.4. It mishandled webhook access control in the EnableOnlyAdminIntegrations case."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T16:47:11",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18870",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, and 4.3.4. It mishandled webhook access control in the EnableOnlyAdminIntegrations case."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18870",
"datePublished": "2020-06-19T16:47:11",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.354Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-1337
Vulnerability from cvelistv5
Published
2022-04-13 17:06
Modified
2024-12-06 23:10
Severity ?
EPSS score ?
Summary
The image proxy component in Mattermost version 6.4.1 and earlier allocates memory for multiple copies of a proxied image, which allows an authenticated attacker to crash the server via links to very large image files.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 6.4 < 6.4.2 Version: 6.3 < 6.3.5 Version: 6.2 < 6.2.5 Version: 5.37 < 5.37.9 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:03:05.454Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-1337",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T22:53:09.720318Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T23:10:06.768Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThan": "6.4.2",
"status": "affected",
"version": "6.4",
"versionType": "custom"
},
{
"lessThan": "6.3.5",
"status": "affected",
"version": "6.3",
"versionType": "custom"
},
{
"lessThan": "6.2.5",
"status": "affected",
"version": "6.2",
"versionType": "custom"
},
{
"lessThan": "5.37.9",
"status": "affected",
"version": "5.37",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "The local image proxy must be enabled for this issue to become exploitable. This is a non-default configuration."
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to Agniva de Sarker for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"descriptions": [
{
"lang": "en",
"value": "The image proxy component in Mattermost version 6.4.1 and earlier allocates memory for multiple copies of a proxied image, which allows an authenticated attacker to crash the server via links to very large image files."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-13T17:06:00",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to Mattermost version 6.4.2, 6.3.5, 6.2.5, or 5.37.9."
}
],
"source": {
"advisory": "MMSA-2022-0090",
"defect": [
"https://mattermost.atlassian.net/browse/MM-41919"
],
"discovery": "INTERNAL"
},
"title": "OOM DoS in Mattermost image proxy",
"workarounds": [
{
"lang": "en",
"value": "Disable the image proxy or use an external proxy."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsibledisclosure@mattermost.com",
"ID": "CVE-2022-1337",
"STATE": "PUBLIC",
"TITLE": "OOM DoS in Mattermost image proxy"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mattermost",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "6.4",
"version_value": "6.4.2"
},
{
"version_affected": "\u003c",
"version_name": "6.3",
"version_value": "6.3.5"
},
{
"version_affected": "\u003c",
"version_name": "6.2",
"version_value": "6.2.5"
},
{
"version_affected": "\u003c",
"version_name": "5.37",
"version_value": "5.37.9"
}
]
}
}
]
},
"vendor_name": "Mattermost"
}
]
}
},
"configuration": [
{
"lang": "en",
"value": "The local image proxy must be enabled for this issue to become exploitable. This is a non-default configuration."
}
],
"credit": [
{
"lang": "eng",
"value": "Thanks to Agniva de Sarker for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The image proxy component in Mattermost version 6.4.1 and earlier allocates memory for multiple copies of a proxied image, which allows an authenticated attacker to crash the server via links to very large image files."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "MISC",
"url": "https://mattermost.com/security-updates/"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to Mattermost version 6.4.2, 6.3.5, 6.2.5, or 5.37.9."
}
],
"source": {
"advisory": "MMSA-2022-0090",
"defect": [
"https://mattermost.atlassian.net/browse/MM-41919"
],
"discovery": "INTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "Disable the image proxy or use an external proxy."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2022-1337",
"datePublished": "2022-04-13T17:06:00",
"dateReserved": "2022-04-13T00:00:00",
"dateUpdated": "2024-12-06T23:10:06.768Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20846
Vulnerability from cvelistv5
Published
2020-06-19 13:29
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.18.0. It has weak permissions for server-local file storage.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.395Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.18.0. It has weak permissions for server-local file storage."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T13:29:06",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20846",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.18.0. It has weak permissions for server-local file storage."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20846",
"datePublished": "2020-06-19T13:29:06",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.395Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20841
Vulnerability from cvelistv5
Published
2020-06-19 13:17
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. CSRF can sometimes occur via a crafted web site for account takeover attacks.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.244Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. CSRF can sometimes occur via a crafted web site for account takeover attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T13:17:36",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20841",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. CSRF can sometimes occur via a crafted web site for account takeover attacks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20841",
"datePublished": "2020-06-19T13:17:36",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.244Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-1953
Vulnerability from cvelistv5
Published
2024-02-29 10:42
Modified
2024-08-16 20:58
Severity ?
EPSS score ?
Summary
Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, 9.3.0, and 9.4.x before 9.4.2 fail to limit the number of role names requested from the API, allowing an authenticated attacker to cause the server to run out of memory and crash by issuing an unusually large HTTP request.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 9.4.0 ≤ 9.4.1 Version: 9.3.0 Version: 9.2.0 ≤ 9.2.4 Version: 8.1.0 ≤ 8.1.8 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:56:22.642Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1953",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-16T20:58:10.089758Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-16T20:58:25.047Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.4.1",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "9.3.0"
},
{
"lessThanOrEqual": "9.2.4",
"status": "affected",
"version": "9.2.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.8",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.5"
},
{
"status": "unaffected",
"version": "9.4.2"
},
{
"status": "unaffected",
"version": "9.3.1"
},
{
"status": "unaffected",
"version": "9.2.5"
},
{
"status": "unaffected",
"version": "8.1.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "vultza"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, 9.3.0, and 9.4.x before 9.4.2 fail to limit the number of role names requested from the API, allowing an authenticated attacker to cause the server to run out of memory and crash by issuing an unusually large HTTP request.\u003c/p\u003e"
}
],
"value": "Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, 9.3.0, and 9.4.x before 9.4.2 fail to limit the number of role names requested from the API, allowing an authenticated attacker to cause the server to run out of memory and crash by issuing an unusually large HTTP request.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-29T10:42:41.576Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.5, 9.4.2, 9.3.1, 9.2.5, 8.1.9, or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.5, 9.4.2, 9.3.1, 9.2.5, 8.1.9, or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00273",
"defect": [
"https://mattermost.atlassian.net/browse/MM-55093"
],
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-1953",
"datePublished": "2024-02-29T10:42:41.576Z",
"dateReserved": "2024-02-27T19:37:27.574Z",
"dateUpdated": "2024-08-16T20:58:25.047Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-42000
Vulnerability from cvelistv5
Published
2024-11-09 17:17
Modified
2024-11-12 14:53
Severity ?
EPSS score ?
Summary
Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 and 10.0.x <= 10.0.0 fail to properly authorize the requests to /api/v4/channels which allows a User or System Manager, with "Read Groups" permission but with no access for channels to retrieve details about private channels that they were not a member of by sending a request to /api/v4/channels.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 9.10.0 ≤ 9.10.2 Version: 9.11.0 ≤ 9.11.1 Version: 9.5.0 ≤ 9.5.9 Version: 10.0.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42000",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T14:52:58.078631Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T14:53:08.813Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.10.2",
"status": "affected",
"version": "9.10.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.11.1",
"status": "affected",
"version": "9.11.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.5.9",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "10.0.0"
},
{
"status": "unaffected",
"version": "10.1.0"
},
{
"status": "unaffected",
"version": "9.10.3"
},
{
"status": "unaffected",
"version": "9.11.2"
},
{
"status": "unaffected",
"version": "9.5.10"
},
{
"status": "unaffected",
"version": "10.0.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "othman (3thm4n)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.10.x \u0026lt;= 9.10.2, 9.11.x \u0026lt;= 9.11.1, 9.5.x \u0026lt;= 9.5.9 and 10.0.x \u0026lt;= 10.0.0 fail to properly authorize the requests to\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e/api/v4/channels\u003c/span\u003e \u0026nbsp;which allows\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ea User or System Manager, with \"Read Groups\" permission but with no access for channels to retrieve details about private channels that they were not a member of by sending a request to\u0026nbsp;/api/v4/channels.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.10.x \u003c= 9.10.2, 9.11.x \u003c= 9.11.1, 9.5.x \u003c= 9.5.9 and 10.0.x \u003c= 10.0.0 fail to properly authorize the requests to\u00a0/api/v4/channels \u00a0which allows\u00a0a User or System Manager, with \"Read Groups\" permission but with no access for channels to retrieve details about private channels that they were not a member of by sending a request to\u00a0/api/v4/channels."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-09T17:17:25.038Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 10.1.0, 9.10.3, 9.11.2, 9.5.10, 10.0.1 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 10.1.0, 9.10.3, 9.11.2, 9.5.10, 10.0.1 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00381",
"defect": [
"https://mattermost.atlassian.net/browse/MM-60239"
],
"discovery": "EXTERNAL"
},
"title": "Unauthorized Access to view channels\u0027 details",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-42000",
"datePublished": "2024-11-09T17:17:25.038Z",
"dateReserved": "2024-11-05T09:14:34.854Z",
"dateUpdated": "2024-11-12T14:53:08.813Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18892
Vulnerability from cvelistv5
Published
2020-06-19 18:08
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. E-mail templates can have a field in which HTML content is not neutralized.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.449Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. E-mail templates can have a field in which HTML content is not neutralized."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T18:08:51",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18892",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. E-mail templates can have a field in which HTML content is not neutralized."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18892",
"datePublished": "2020-06-19T18:08:51",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18897
Vulnerability from cvelistv5
Published
2020-06-19 18:10
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. It mishandles a deny action for a redirection.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.398Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. It mishandles a deny action for a redirection."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T18:10:53",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18897",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. It mishandles a deny action for a redirection."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18897",
"datePublished": "2020-06-19T18:10:53",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.398Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18906
Vulnerability from cvelistv5
Published
2020-06-19 19:18
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when Single Sign-On OAuth2 is used. An attacker could claim somebody else's account.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.352Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when Single Sign-On OAuth2 is used. An attacker could claim somebody else\u0027s account."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T19:18:16",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18906",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when Single Sign-On OAuth2 is used. An attacker could claim somebody else\u0027s account."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18906",
"datePublished": "2020-06-19T19:18:16",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.352Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-3577
Vulnerability from cvelistv5
Published
2023-07-17 15:18
Modified
2024-10-21 19:58
Severity ?
EPSS score ?
Summary
Mattermost fails to properly restrict requests to localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited blind SSRF.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 7.9.6 Version: 0 ≤ 7.8.6 Version: 0 ≤ 7.10.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:01:56.833Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3577",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T19:54:47.990458Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T19:58:58.448Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.9.6",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.8.6",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.10.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.7"
},
{
"status": "unaffected",
"version": "7.10.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "WGH (wgh_)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to properly restrict requests to\u0026nbsp;localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited\u0026nbsp;blind SSRF.\u003c/p\u003e"
}
],
"value": "Mattermost fails to properly restrict requests to\u00a0localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited\u00a0blind SSRF.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-17T15:18:07.871Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions\u0026nbsp; v7.8.7,\u0026nbsp;v7.10.3 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions\u00a0 v7.8.7,\u00a0v7.10.3 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00202",
"defect": [
"https://mattermost.atlassian.net/browse/MM-37690"
],
"discovery": "EXTERNAL"
},
"title": "Limited blind SSRF to localhost/intranet in interactive dialog implementation",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-3577",
"datePublished": "2023-07-17T15:18:07.871Z",
"dateReserved": "2023-07-10T09:47:27.158Z",
"dateUpdated": "2024-10-21T19:58:58.448Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18905
Vulnerability from cvelistv5
Published
2020-06-19 19:17
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth 2.0 service provider, Session invalidation was mishandled.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.319Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth 2.0 service provider, Session invalidation was mishandled."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T19:17:03",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18905",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth 2.0 service provider, Session invalidation was mishandled."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18905",
"datePublished": "2020-06-19T19:17:03",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.319Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18877
Vulnerability from cvelistv5
Published
2020-06-19 16:50
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS attacks could occur against an OAuth 2.0 allow/deny page.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.304Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS attacks could occur against an OAuth 2.0 allow/deny page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T16:50:36",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18877",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS attacks could occur against an OAuth 2.0 allow/deny page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18877",
"datePublished": "2020-06-19T16:50:36",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.304Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-11075
Vulnerability from cvelistv5
Published
2020-06-19 19:27
Modified
2024-08-06 03:47
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 3.0.0. It allows attackers to obtain sensitive information about team URLs via an API.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:47:34.619Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.0.0. It allows attackers to obtain sensitive information about team URLs via an API."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T19:27:18",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-11075",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 3.0.0. It allows attackers to obtain sensitive information about team URLs via an API."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-11075",
"datePublished": "2020-06-19T19:27:18",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-06T03:47:34.619Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-11076
Vulnerability from cvelistv5
Published
2020-06-19 19:27
Modified
2024-08-06 03:47
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 3.0.0. It does not ensure that a cookie is used over SSL.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:47:35.162Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.0.0. It does not ensure that a cookie is used over SSL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T19:27:37",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-11076",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 3.0.0. It does not ensure that a cookie is used over SSL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-11076",
"datePublished": "2020-06-19T19:27:37",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-06T03:47:35.162Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18876
Vulnerability from cvelistv5
Published
2020-06-19 16:50
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can test for the existence of an arbitrary file.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.312Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can test for the existence of an arbitrary file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T16:50:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18876",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can test for the existence of an arbitrary file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18876",
"datePublished": "2020-06-19T16:50:02",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.312Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-11066
Vulnerability from cvelistv5
Published
2020-06-19 19:23
Modified
2024-08-06 03:47
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 3.2.0. The initial_load API disclosed unnecessary personal information.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:47:34.723Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.2.0. The initial_load API disclosed unnecessary personal information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T19:23:24",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-11066",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 3.2.0. The initial_load API disclosed unnecessary personal information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-11066",
"datePublished": "2020-06-19T19:23:24",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-06T03:47:34.723Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-11080
Vulnerability from cvelistv5
Published
2020-06-19 19:28
Modified
2024-08-06 03:47
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 3.0.0. It offers superfluous APIs for a Team Administrator to view account details.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:47:34.927Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.0.0. It offers superfluous APIs for a Team Administrator to view account details."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T19:28:59",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-11080",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 3.0.0. It offers superfluous APIs for a Team Administrator to view account details."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-11080",
"datePublished": "2020-06-19T19:28:59",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-06T03:47:34.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18904
Vulnerability from cvelistv5
Published
2020-06-19 18:45
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. It allows XSS via an uploaded file.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.355Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. It allows XSS via an uploaded file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T18:45:31",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18904",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. It allows XSS via an uploaded file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18904",
"datePublished": "2020-06-19T18:45:31",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.355Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-2447
Vulnerability from cvelistv5
Published
2024-04-05 08:52
Modified
2024-08-01 19:11
Severity ?
EPSS score ?
Summary
Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x before 9.4.4, and 9.5.x before 9.5.2 fail to authenticate the source of certain types of post actions, allowing an authenticated attacker to create posts as other users via a crafted post action.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 9.5.0 ≤ 9.5.1 Version: 9.4.0 ≤ 9.4.3 Version: 9.3.0 ≤ 9.3.2 Version: 8.1.0 ≤ 8.1.10 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2447",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-29T15:51:10.928653Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T15:51:20.770Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:11:53.562Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.5.1",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.4.3",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.3.2",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.10",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.6.0"
},
{
"status": "unaffected",
"version": "9.5.2"
},
{
"status": "unaffected",
"version": "9.4.4"
},
{
"status": "unaffected",
"version": "9.3.3"
},
{
"status": "unaffected",
"version": "8.1.11"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Nurminen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x before 9.4.4, and 9.5.x before 9.5.2 fail to authenticate the source of certain types of post actions, allowing an authenticated attacker to create posts as other users via a crafted post action.\u003c/p\u003e"
}
],
"value": "Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x before 9.4.4, and 9.5.x before 9.5.2 fail to authenticate the source of certain types of post actions, allowing an authenticated attacker to create posts as other users via a crafted post action.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-05T08:52:59.664Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.6.0, 9.5.2, 9.4.4, 9.3.3, 8.1.11 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.6.0, 9.5.2, 9.4.4, 9.3.3, 8.1.11 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2024-00306",
"defect": [
"https://mattermost.atlassian.net/browse/MM-56634"
],
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-2447",
"datePublished": "2024-04-05T08:52:59.664Z",
"dateReserved": "2024-03-14T12:23:53.044Z",
"dateUpdated": "2024-08-01T19:11:53.562Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-11072
Vulnerability from cvelistv5
Published
2020-06-19 19:26
Modified
2024-08-06 03:47
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 3.0.2. The purposes of a session ID and a Session Token were mishandled.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:47:34.665Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.0.2. The purposes of a session ID and a Session Token were mishandled."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T19:26:14",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-11072",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 3.0.2. The purposes of a session ID and a Session Token were mishandled."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-11072",
"datePublished": "2020-06-19T19:26:14",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-06T03:47:34.665Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-14450
Vulnerability from cvelistv5
Published
2020-06-19 13:07
Modified
2024-08-04 12:46
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.22.0. The markdown renderer allows attackers to cause a denial of service (client-side), aka MMSA-2020-0017.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:46:34.627Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.22.0. The markdown renderer allows attackers to cause a denial of service (client-side), aka MMSA-2020-0017."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T13:07:52",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-14450",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.22.0. The markdown renderer allows attackers to cause a denial of service (client-side), aka MMSA-2020-0017."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-14450",
"datePublished": "2020-06-19T13:07:52",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-04T12:46:34.627Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-43780
Vulnerability from cvelistv5
Published
2024-08-22 15:17
Modified
2024-08-22 16:06
Severity ?
EPSS score ?
Summary
Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.0, 9.8.x <= 9.8.2 fail to enforce permissions which allows a guest user with read access to upload files to a channel.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 9.9.0 ≤ 9.9.1 Version: 9.5.0 ≤ 9.5.7 Version: 9.10.0 Version: 9.8.0 ≤ 9.8.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43780",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-22T16:06:12.738586Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T16:06:25.703Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.9.1",
"status": "affected",
"version": "9.9.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.5.7",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "9.10.0"
},
{
"lessThanOrEqual": "9.8.2",
"status": "affected",
"version": "9.8.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.11.0"
},
{
"status": "unaffected",
"version": "9.9.2"
},
{
"status": "unaffected",
"version": "9.5.8"
},
{
"status": "unaffected",
"version": "9.10.1"
},
{
"status": "unaffected",
"version": "9.8.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "BhaRat (hackit_bharat)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.9.x \u0026lt;= 9.9.1, 9.5.x \u0026lt;= 9.5.7, 9.10.0, 9.8.x \u0026lt;= 9.8.2 fail to enforce permissions which allows a guest user with read access to upload files to a channel.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.9.x \u003c= 9.9.1, 9.5.x \u003c= 9.5.7, 9.10.0, 9.8.x \u003c= 9.8.2 fail to enforce permissions which allows a guest user with read access to upload files to a channel."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T15:17:11.947Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.11.0, 9.9.2, 9.5.8, 9.10.1, 9.8.3 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.11.0, 9.9.2, 9.5.8, 9.10.1, 9.8.3 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00357",
"defect": [
"https://mattermost.atlassian.net/browse/MM-58524"
],
"discovery": "EXTERNAL"
},
"title": "Unauthorized channel file upload",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-43780",
"datePublished": "2024-08-22T15:17:11.947Z",
"dateReserved": "2024-08-16T17:27:00.321Z",
"dateUpdated": "2024-08-22T16:06:25.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18899
Vulnerability from cvelistv5
Published
2020-06-19 18:42
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It mishandles IP-based rate limiting.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.359Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It mishandles IP-based rate limiting."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T18:42:06",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18899",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It mishandles IP-based rate limiting."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18899",
"datePublished": "2020-06-19T18:42:06",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.359Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-21256
Vulnerability from cvelistv5
Published
2020-06-19 17:44
Modified
2024-08-05 12:26
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.1. It allows attackers to bypass intended access restrictions (for group-message channel creation) via the Group message slash command.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:26:39.427Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.1. It allows attackers to bypass intended access restrictions (for group-message channel creation) via the Group message slash command."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T17:44:07",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-21256",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.1. It allows attackers to bypass intended access restrictions (for group-message channel creation) via the Group message slash command."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-21256",
"datePublished": "2020-06-19T17:44:07",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T12:26:39.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-40884
Vulnerability from cvelistv5
Published
2024-08-22 15:17
Modified
2024-08-22 18:08
Severity ?
EPSS score ?
Summary
Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to properly enforce permissions which allows a team admin user without "Add Team Members" permission to disable the invite URL.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 9.5.0 ≤ 9.5.7 Version: 9.10.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-40884",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-22T18:06:51.539483Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T18:08:37.730Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.5.7",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "9.10.0"
},
{
"status": "unaffected",
"version": "9.11.0"
},
{
"status": "unaffected",
"version": "9.5.8"
},
{
"status": "unaffected",
"version": "9.10.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "omar ahmed (omar-ahmed)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.5.x \u0026lt;= 9.5.7, 9.10.x \u0026lt;= 9.10.0 fail to properly enforce permissions which allows a team admin user without \"Add Team Members\" permission to disable the invite URL.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.5.x \u003c= 9.5.7, 9.10.x \u003c= 9.10.0 fail to properly enforce permissions which allows a team admin user without \"Add Team Members\" permission to disable the invite URL."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T15:17:10.938Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.11.0, 9.5.8, 9.10.1 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.11.0, 9.5.8, 9.10.1 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00352",
"defect": [
"https://mattermost.atlassian.net/browse/MM-58556"
],
"discovery": "EXTERNAL"
},
"title": "Unauthorized disabling of invite URL",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-40884",
"datePublished": "2024-08-22T15:17:10.938Z",
"dateReserved": "2024-08-16T17:27:00.338Z",
"dateUpdated": "2024-08-22T18:08:37.730Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-49874
Vulnerability from cvelistv5
Published
2023-12-12 08:17
Modified
2024-08-02 22:01
Severity ?
EPSS score ?
Summary
Mattermost fails to check whether a user is a guest when updating the tasks of a private playbook run allowing a guest to update the tasks of a private playbook run if they know the run ID.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 8.1.5 Version: 0 ≤ 9.0.3 Version: 0 ≤ 9.1.2 Version: 0 ≤ 9.2.1 Version: 0 ≤ 7.8.14 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:01:26.180Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.0.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.8.14",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.2.2"
},
{
"status": "unaffected",
"version": "8.1.6"
},
{
"status": "unaffected",
"version": "9.0.4"
},
{
"status": "unaffected",
"version": "9.1.3"
},
{
"status": "unaffected",
"version": "7.8.15"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "DoyenSec"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to check whether a user is a guest when updating the tasks of a private playbook run allowing a\u0026nbsp;guest to update the tasks of a private playbook run if they know the run ID.\u003c/p\u003e"
}
],
"value": "Mattermost fails to check whether a user is a guest when updating the tasks of a private playbook run allowing a\u00a0guest to update the tasks of a private playbook run if they know the run ID.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-12T08:17:53.947Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.2.2, 8.1.6, 9.0.4, 9.1.3, 7.8.15 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.2.2, 8.1.6, 9.0.4, 9.1.3, 7.8.15 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00247",
"defect": [
"https://mattermost.atlassian.net/browse/MM-54400"
],
"discovery": "EXTERNAL"
},
"title": "IDOR when updating the tasks of a private playbook run",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-49874",
"datePublished": "2023-12-12T08:17:53.947Z",
"dateReserved": "2023-12-05T08:04:35.043Z",
"dateUpdated": "2024-08-02T22:01:26.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2366
Vulnerability from cvelistv5
Published
2022-07-11 14:08
Modified
2024-12-06 23:08
Severity ?
EPSS score ?
Summary
Incorrect default configuration for trusted IP header in Mattermost version 6.7.0 and earlier allows attacker to bypass some of the rate limitations in place or use manipulated IPs for audit logging via manipulating the request headers.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 6.7.x 6.7.0 Version: 6.x < Version: 6.5.x < Version: 6.6.x < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:32:09.696Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-2366",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T22:52:50.416614Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T23:08:46.139Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "6.7.x 6.7.0"
},
{
"lessThanOrEqual": "6.3.8",
"status": "affected",
"version": "6.x",
"versionType": "custom"
},
{
"lessThanOrEqual": "6.5.1",
"status": "affected",
"version": "6.5.x",
"versionType": "custom"
},
{
"lessThanOrEqual": "6.6.1",
"status": "affected",
"version": "6.6.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to Adam Pritchard for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"descriptions": [
{
"lang": "en",
"value": "Incorrect default configuration for trusted IP header in Mattermost version 6.7.0 and earlier allows attacker to bypass some of the rate limitations in place or use manipulated IPs for audit logging via manipulating the request headers."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-11T14:08:50",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mattermost.com/security-updates/"
}
],
"source": {
"advisory": " MMSA-2022-00109",
"defect": [
"https://mattermost.atlassian.net/browse/MM-42379"
],
"discovery": "EXTERNAL"
},
"title": "Incorrect defaults can cause attackers to bypass rate limitations ",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsibledisclosure@mattermost.com",
"ID": "CVE-2022-2366",
"STATE": "PUBLIC",
"TITLE": "Incorrect defaults can cause attackers to bypass rate limitations "
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mattermost",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "6.x",
"version_value": "6.3.8"
},
{
"version_affected": "\u003c=",
"version_name": "6.5.x",
"version_value": "6.5.1"
},
{
"version_affected": "\u003c=",
"version_name": "6.6.x",
"version_value": "6.6.1"
},
{
"version_affected": "=",
"version_name": "6.7.x",
"version_value": "6.7.0"
}
]
}
}
]
},
"vendor_name": "Mattermost"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thanks to Adam Pritchard for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Incorrect default configuration for trusted IP header in Mattermost version 6.7.0 and earlier allows attacker to bypass some of the rate limitations in place or use manipulated IPs for audit logging via manipulating the request headers."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-276 Incorrect Default Permissions"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "MISC",
"url": "https://mattermost.com/security-updates/"
}
]
},
"source": {
"advisory": " MMSA-2022-00109",
"defect": [
"https://mattermost.atlassian.net/browse/MM-42379"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2022-2366",
"datePublished": "2022-07-11T14:08:50",
"dateReserved": "2022-07-11T00:00:00",
"dateUpdated": "2024-12-06T23:08:46.139Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-29221
Vulnerability from cvelistv5
Published
2024-04-05 08:15
Modified
2024-08-02 01:10
Severity ?
EPSS score ?
Summary
Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the `/api/v4/users/me/teams` endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users, even if the "Add Members" permission was explicitly removed from team admins.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 9.5.0 ≤ 9.5.1 Version: 9.4.0 ≤ 9.4.3 Version: 9.3.0 ≤ 9.3.2 Version: 8.1.0 ≤ 8.1.10 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29221",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-09T17:16:33.172848Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:57:08.139Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:54.523Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.5.1",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.4.3",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.3.2",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.10",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.6.0"
},
{
"status": "unaffected",
"version": "9.5.2"
},
{
"status": "unaffected",
"version": "9.4.4"
},
{
"status": "unaffected",
"version": "9.3.3"
},
{
"status": "unaffected",
"version": "8.1.11"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "omar ahmed (omar-ahmed)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the `/api/v4/users/me/teams` endpoint\u0026nbsp;allowing\u0026nbsp;a team admin to get the invite ID of their team, thus allowing them to invite users, even if the \"Add Members\" permission was explicitly removed from team admins. \u003c/p\u003e"
}
],
"value": "Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the `/api/v4/users/me/teams` endpoint\u00a0allowing\u00a0a team admin to get the invite ID of their team, thus allowing them to invite users, even if the \"Add Members\" permission was explicitly removed from team admins. \n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-05T08:15:07.130Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.6.0, 9.5.2, 9.4.4, 9.3.3, 8.1.11 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.6.0, 9.5.2, 9.4.4, 9.3.3, 8.1.11 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2024-00311",
"defect": [
"https://mattermost.atlassian.net/browse/MM-56821"
],
"discovery": "EXTERNAL"
},
"title": "Invite ID available to team admins even without the \"Add Members\" permission",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-29221",
"datePublished": "2024-04-05T08:15:07.130Z",
"dateReserved": "2024-04-03T10:03:48.289Z",
"dateUpdated": "2024-08-02T01:10:54.523Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-3581
Vulnerability from cvelistv5
Published
2023-07-17 15:20
Modified
2024-10-30 13:54
Severity ?
EPSS score ?
Summary
Mattermost fails to properly validate the origin of a websocket connection allowing a MITM attacker on Mattermost to access the websocket APIs.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 7.8.6 Version: 0 ≤ 7.9.4 Version: 0 ≤ 7.10.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:01:57.497Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3581",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-30T13:54:36.582514Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-30T13:54:50.335Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.6",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.9.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.10.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": " 7.8.7"
},
{
"status": "unaffected",
"version": "7.9.5"
},
{
"status": "unaffected",
"version": "\u00a07.10.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Juho Nurminen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to properly validate the origin of a websocket connection allowing a MITM attacker on Mattermost to access the websocket APIs.\u003c/p\u003e"
}
],
"value": "Mattermost fails to properly validate the origin of a websocket connection allowing a MITM attacker on Mattermost to access the websocket APIs.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-346",
"description": "CWE-346 Origin Validation Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-17T15:20:00.186Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions v7.8.7,\u0026nbsp;v7.9.5,\u0026nbsp;v7.10.3 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions v7.8.7,\u00a0v7.9.5,\u00a0v7.10.3 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00200",
"defect": [
"https://mattermost.atlassian.net/browse/MM-49701"
],
"discovery": "INTERNAL"
},
"title": "WebSockets accept connections from HTTPS origin",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-3581",
"datePublished": "2023-07-17T15:20:00.186Z",
"dateReserved": "2023-07-10T12:32:13.548Z",
"dateUpdated": "2024-10-30T13:54:50.335Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20869
Vulnerability from cvelistv5
Published
2020-06-19 15:21
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.10.0, 5.9.1, 5.8.2, and 4.10.9. A non-member could change the Update/Patch Channel endpoint for a private channel.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.541Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.10.0, 5.9.1, 5.8.2, and 4.10.9. A non-member could change the Update/Patch Channel endpoint for a private channel."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T15:21:12",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20869",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.10.0, 5.9.1, 5.8.2, and 4.10.9. A non-member could change the Update/Patch Channel endpoint for a private channel."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20869",
"datePublished": "2020-06-19T15:21:12",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.541Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20874
Vulnerability from cvelistv5
Published
2020-06-19 15:42
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information during a role change.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.546Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information during a role change."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T15:42:50",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20874",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information during a role change."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20874",
"datePublished": "2020-06-19T15:42:50",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.546Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-21848
Vulnerability from cvelistv5
Published
2024-04-05 08:13
Modified
2024-08-01 22:27
Severity ?
EPSS score ?
Summary
Improper Access Control in Mattermost Server versions 8.1.x before 8.1.11 allows an attacker that is in a channel with an active call to keep participating in the call even if they are removed from the channel
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 8.1.0 ≤ 8.1.10 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21848",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-15T15:46:42.823620Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T15:46:54.574Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:36.465Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.10",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.5.0"
},
{
"status": "unaffected",
"version": "8.1.11"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Leandro Chaves (brdoors3)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Access Control in Mattermost Server versions 8.1.x before 8.1.11 allows an attacker that is in a channel with an active call to keep participating in the call even if they are removed from the channel\u003c/p\u003e"
}
],
"value": "Improper Access Control in Mattermost Server versions 8.1.x before 8.1.11 allows an attacker that is in a channel with an active call to keep participating in the call even if they are removed from the channel\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-05T08:13:01.713Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.5.0, 8.1.11 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.5.0, 8.1.11 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00256",
"defect": [
"https://mattermost.atlassian.net/browse/MM-54545"
],
"discovery": "EXTERNAL"
},
"title": "Users maintain access to active call after being removed from a channel",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-21848",
"datePublished": "2024-04-05T08:13:01.713Z",
"dateReserved": "2024-04-03T10:03:48.279Z",
"dateUpdated": "2024-08-01T22:27:36.465Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-46872
Vulnerability from cvelistv5
Published
2024-10-29 08:12
Modified
2024-10-29 12:51
Severity ?
EPSS score ?
Summary
Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in Playbooks
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 9.10.0 ≤ 9.10.2 Version: 9.11.0 ≤ 9.11.1 Version: 9.5.0 ≤ 9.5.9 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-46872",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-29T12:51:01.235547Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T12:51:14.111Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.10.2",
"status": "affected",
"version": "9.10.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.11.1",
"status": "affected",
"version": "9.11.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.5.9",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "10.0.0"
},
{
"status": "unaffected",
"version": "9.10.3"
},
{
"status": "unaffected",
"version": "9.11.2"
},
{
"status": "unaffected",
"version": "9.5.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "DoyenSec"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.10.x \u0026lt;= 9.10.2, 9.11.x \u0026lt;= 9.11.1, 9.5.x \u0026lt;= 9.5.9 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in Playbooks\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.10.x \u003c= 9.10.2, 9.11.x \u003c= 9.11.1, 9.5.x \u003c= 9.5.9 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in Playbooks"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T08:12:12.736Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 10.0.0, 9.10.3, 9.11.2, 9.5.10 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 10.0.0, 9.10.3, 9.11.2, 9.5.10 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00366",
"defect": [
"https://mattermost.atlassian.net/browse/MM-58842"
],
"discovery": "EXTERNAL"
},
"title": "Client-Side Path Traversal Leading to CSRF in Playbooks",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-46872",
"datePublished": "2024-10-29T08:12:12.736Z",
"dateReserved": "2024-10-21T16:12:47.134Z",
"dateUpdated": "2024-10-29T12:51:14.111Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-46701
Vulnerability from cvelistv5
Published
2023-12-12 08:19
Modified
2024-08-02 20:53
Severity ?
EPSS score ?
Summary
Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plugin allowing an attacker to get limited information about a post if they know the post ID
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 8.1.5 Version: 0 ≤ 9.0.3 Version: 0 ≤ 9.1.2 Version: 0 ≤ 9.2.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:53:20.920Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.0.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.2.2"
},
{
"status": "unaffected",
"version": "8.1.6"
},
{
"status": "unaffected",
"version": "9.0.4"
},
{
"status": "unaffected",
"version": "9.1.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "vultza (vultza)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plugin allowing an attacker to get limited information about a post if they know the post ID\u003c/p\u003e"
}
],
"value": "Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plugin allowing an attacker to get limited information about a post if they know the post ID\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-12T08:19:22.274Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 8.1.6, 9.0.4, 9.1.3,\u0026nbsp;9.2.2 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 8.1.6, 9.0.4, 9.1.3,\u00a09.2.2 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00237",
"defect": [
"https://mattermost.atlassian.net/browse/MM-54148"
],
"discovery": "EXTERNAL"
},
"title": "Inaccessible Post Information Leak via Run Timeline IDOR",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-46701",
"datePublished": "2023-12-12T08:19:22.274Z",
"dateReserved": "2023-12-05T08:22:34.302Z",
"dateUpdated": "2024-08-02T20:53:20.920Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-21248
Vulnerability from cvelistv5
Published
2020-06-19 16:47
Modified
2024-08-05 12:26
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.4.0. It mishandles possession of superfluous authentication credentials.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:26:39.537Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.4.0. It mishandles possession of superfluous authentication credentials."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T16:47:04",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-21248",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.4.0. It mishandles possession of superfluous authentication credentials."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-21248",
"datePublished": "2020-06-19T16:47:04",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T12:26:39.537Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-42497
Vulnerability from cvelistv5
Published
2024-08-22 15:17
Modified
2024-08-22 15:31
Severity ?
EPSS score ?
Summary
Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to properly enforce permissions which allows a user with systems manager role with read-only access to teams to perform write operations on teams.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 9.9.0 ≤ 9.9.1 Version: 9.5.0 ≤ 9.5.7 Version: 9.10.0 Version: 9.8.0 ≤ 9.8.2 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"lessThanOrEqual": "9.9.1",
"status": "affected",
"version": "9.9.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.5.7",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "9.10.0"
},
{
"lessThanOrEqual": "9.8.2",
"status": "affected",
"version": "9.8.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42497",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-22T15:27:30.908684Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T15:31:45.824Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.9.1",
"status": "affected",
"version": "9.9.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.5.7",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "9.10.0"
},
{
"lessThanOrEqual": "9.8.2",
"status": "affected",
"version": "9.8.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.11.0"
},
{
"status": "unaffected",
"version": "9.9.2"
},
{
"status": "unaffected",
"version": "9.5.8"
},
{
"status": "unaffected",
"version": "9.10.1"
},
{
"status": "unaffected",
"version": "9.8.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "BhaRat (hackit_bharat)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.9.x \u0026lt;= 9.9.1, 9.5.x \u0026lt;= 9.5.7, 9.10.x \u0026lt;= 9.10.0, 9.8.x \u0026lt;= 9.8.2 fail to properly enforce permissions which allows a user with systems manager role with read-only access to teams to perform write operations on teams.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.9.x \u003c= 9.9.1, 9.5.x \u003c= 9.5.7, 9.10.x \u003c= 9.10.0, 9.8.x \u003c= 9.8.2 fail to properly enforce permissions which allows a user with systems manager role with read-only access to teams to perform write operations on teams."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T15:17:11.468Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.11.0, 9.9.2, 9.5.8, 9.10.1, 9.8.3 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.11.0, 9.9.2, 9.5.8, 9.10.1, 9.8.3 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00353",
"defect": [
"https://mattermost.atlassian.net/browse/MM-58547"
],
"discovery": "EXTERNAL"
},
"title": "Insufficient permissions checks on teams",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-42497",
"datePublished": "2024-08-22T15:17:11.468Z",
"dateReserved": "2024-08-16T17:27:00.329Z",
"dateUpdated": "2024-08-22T15:31:45.824Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-3587
Vulnerability from cvelistv5
Published
2023-07-17 15:26
Modified
2024-10-22 13:40
Severity ?
EPSS score ?
Summary
Mattermost fails to properly show information in the UI, allowing a system admin to modify a board state allowing any user with a valid sharing link to join the board with editor access, without the UI showing the updated permissions.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 7.8.6 Version: 0 ≤ 7.9.4 Version: 0 ≤ 7.10.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:01:56.922Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3587",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T13:32:46.413613Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T13:40:42.183Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.6",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.9.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.10.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.7"
},
{
"status": "unaffected",
"version": "7.9.5"
},
{
"status": "unaffected",
"version": "7.10.3 "
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Daniel Pallinger (danipalli)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to properly show information in the UI, allowing a system admin to modify a board state allowing any user with a valid sharing link to join the board with editor access, without the UI showing the updated permissions.\u003c/p\u003e"
}
],
"value": "Mattermost fails to properly show information in the UI, allowing a system admin to modify a board state allowing any user with a valid sharing link to join the board with editor access, without the UI showing the updated permissions.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-17T15:26:51.996Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions\u0026nbsp;7.8.7,\u0026nbsp;7.9.5,\u0026nbsp;7.10.3 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions\u00a07.8.7,\u00a07.9.5,\u00a07.10.3 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00175",
"defect": [
"https://mattermost.atlassian.net/browse/MM-52370"
],
"discovery": "EXTERNAL"
},
"title": "Inconsistent state in UI after boards permission change by system admin",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-3587",
"datePublished": "2023-07-17T15:26:51.996Z",
"dateReserved": "2023-07-10T14:01:18.080Z",
"dateUpdated": "2024-10-22T13:40:42.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-11070
Vulnerability from cvelistv5
Published
2020-06-19 19:25
Modified
2024-08-06 03:47
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 3.1.0. It allows XSS via theme color-code values.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:47:34.832Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.1.0. It allows XSS via theme color-code values."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T19:25:34",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-11070",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 3.1.0. It allows XSS via theme color-code values."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-11070",
"datePublished": "2020-06-19T19:25:34",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-06T03:47:34.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-6727
Vulnerability from cvelistv5
Published
2023-12-12 10:53
Modified
2024-08-02 08:35
Severity ?
EPSS score ?
Summary
Mattermost fails to perform correct authorization checks when creating a playbook action, allowing users without access to the playbook to create playbook actions. If the playbook action created is to post a message in a channel based on specific keywords in a post, some playbook information, like the name, can be leaked.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 8.1.5 Version: 0 ≤ 9.2.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:35:14.884Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "8.1.6"
},
{
"status": "unaffected",
"version": "9.2.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "vultza (vultza)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to perform correct authorization checks when creating a playbook action, allowing users without access to the playbook to create playbook actions. If the playbook action created is to post a message in a channel based on specific keywords in a post, some playbook information, like the name, can be leaked.\u0026nbsp;\u003c/p\u003e"
}
],
"value": "Mattermost fails to perform correct authorization checks when creating a playbook action, allowing users without access to the playbook to create playbook actions. If the playbook action created is to post a message in a channel based on specific keywords in a post, some playbook information, like the name, can be leaked.\u00a0\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-12T10:53:02.127Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 8.1.6, 9.2.2 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 8.1.6, 9.2.2 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00236",
"defect": [
"https://mattermost.atlassian.net/browse/MM-54129"
],
"discovery": "EXTERNAL"
},
"title": "Leak Inaccessible Playbook Information via Channel Action IDOR",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-6727",
"datePublished": "2023-12-12T10:53:02.127Z",
"dateReserved": "2023-12-12T10:48:31.631Z",
"dateUpdated": "2024-08-02T08:35:14.884Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-3590
Vulnerability from cvelistv5
Published
2023-07-17 15:28
Modified
2024-10-21 19:43
Severity ?
EPSS score ?
Summary
Mattermost fails to delete card attachments in Boards, allowing an attacker to access deleted attachments.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 7.10.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:01:56.913Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3590",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T19:42:32.996082Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T19:43:23.581Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.10.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.10.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "BhaRat (hackit_bharat)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost\u0026nbsp;fails to delete card attachments in Boards, allowing an attacker to access deleted attachments.\u003c/p\u003e"
}
],
"value": "Mattermost\u00a0fails to delete card attachments in Boards, allowing an attacker to access deleted attachments.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-17T15:28:50.860Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions v7.10.3 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions v7.10.3 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00174",
"defect": [
"https://mattermost.atlassian.net/browse/MM-51879"
],
"discovery": "EXTERNAL"
},
"title": "Deleted attachments in Boards remain accessible",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-3590",
"datePublished": "2023-07-17T15:28:50.860Z",
"dateReserved": "2023-07-10T15:01:13.653Z",
"dateUpdated": "2024-10-21T19:43:23.581Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18917
Vulnerability from cvelistv5
Published
2020-06-19 19:18
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. Weak hashing was used for e-mail invitations, OAuth, and e-mail verification tokens.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.434Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. Weak hashing was used for e-mail invitations, OAuth, and e-mail verification tokens."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T19:18:37",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18917",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. Weak hashing was used for e-mail invitations, OAuth, and e-mail verification tokens."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18917",
"datePublished": "2020-06-19T19:18:37",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.434Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-1831
Vulnerability from cvelistv5
Published
2023-04-17 14:21
Modified
2024-12-06 23:05
Severity ?
EPSS score ?
Summary
Mattermost fails to redact from audit logs the user password during user creation and the user password hash in other operations if the experimental audit logging configuration was enabled (ExperimentalAuditSettings section in config).
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 7.7.2 Version: 0 ≤ 7.8.1 Version: 0 ≤ 7.9.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:05:26.096Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-1831",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T22:55:46.424893Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T23:05:08.457Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.7.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.8.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.9.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.7.3"
},
{
"status": "unaffected",
"version": "7.8.2"
},
{
"status": "unaffected",
"version": "7.9.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Jo Astoreca"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Mattermost fails to redact \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003efrom audit logs\u0026nbsp;\u003c/span\u003ethe user password during user creation and the user password hash in other operations if the experimental audit logging configuration was enabled (ExperimentalAuditSettings section in config). \u003cbr\u003e"
}
],
"value": "Mattermost fails to redact from audit logs\u00a0the user password during user creation and the user password hash in other operations if the experimental audit logging configuration was enabled (ExperimentalAuditSettings section in config).\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-17T14:52:11.171Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost to version v7.7.3, v7.8.2, v7.9.1 or higher.\u003cbr\u003e"
}
],
"value": "Update Mattermost to version v7.7.3, v7.8.2, v7.9.1 or higher.\n"
}
],
"source": {
"advisory": "MMSA-2023-00146",
"defect": [
"https://mattermost.atlassian.net/browse/MM-51320"
],
"discovery": "INTERNAL"
},
"title": "User password logged in audit logs",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-1831",
"datePublished": "2023-04-17T14:21:13.233Z",
"dateReserved": "2023-04-04T12:11:43.194Z",
"dateUpdated": "2024-12-06T23:05:08.457Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20844
Vulnerability from cvelistv5
Published
2020-06-19 13:26
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. An attacker can spoof a direct-message channel by changing the type of a channel.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.440Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. An attacker can spoof a direct-message channel by changing the type of a channel."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T13:26:49",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20844",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. An attacker can spoof a direct-message channel by changing the type of a channel."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20844",
"datePublished": "2020-06-19T13:26:49",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.440Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-3257
Vulnerability from cvelistv5
Published
2022-09-23 14:13
Modified
2024-12-06 23:07
Severity ?
EPSS score ?
Summary
Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which allows authenticated users to cause resource exhaustion while processing the file, resulting in server-side Denial of Service.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_MISC | |
| https://hackerone.com/reports/1620170 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:07:05.657Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/1620170"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-3257",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T22:52:36.614652Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T23:07:48.369Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.1.x",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to Philippe Antoine (catenacyber) for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which allows authenticated users to cause resource exhaustion while processing the file, resulting in server-side Denial of Service."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-23T14:13:39",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mattermost.com/security-updates/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/1620170"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to version v7.2 or higher."
}
],
"source": {
"advisory": "MMSA-2022-00115",
"defect": [
"https://mattermost.atlassian.net/browse/MM-45503"
],
"discovery": "EXTERNAL"
},
"title": "Server-side Denial of Service while processing a specifically crafted GIF file",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsibledisclosure@mattermost.com",
"ID": "CVE-2022-3257",
"STATE": "PUBLIC",
"TITLE": "Server-side Denial of Service while processing a specifically crafted GIF file"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mattermost",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "7.1.x"
}
]
}
}
]
},
"vendor_name": "Mattermost"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thanks to Philippe Antoine (catenacyber) for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which allows authenticated users to cause resource exhaustion while processing the file, resulting in server-side Denial of Service."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "MISC",
"url": "https://mattermost.com/security-updates/"
},
{
"name": "https://hackerone.com/reports/1620170",
"refsource": "MISC",
"url": "https://hackerone.com/reports/1620170"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update Mattermost to version v7.2 or higher."
}
],
"source": {
"advisory": "MMSA-2022-00115",
"defect": [
"https://mattermost.atlassian.net/browse/MM-45503"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2022-3257",
"datePublished": "2022-09-23T14:13:39",
"dateReserved": "2022-09-21T00:00:00",
"dateUpdated": "2024-12-06T23:07:48.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18896
Vulnerability from cvelistv5
Published
2020-06-19 18:10
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to add DEBUG lines to the logs via a REST API version 3 logging endpoint.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.368Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to add DEBUG lines to the logs via a REST API version 3 logging endpoint."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T18:10:54",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18896",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to add DEBUG lines to the logs via a REST API version 3 logging endpoint."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18896",
"datePublished": "2020-06-19T18:10:54",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.368Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20868
Vulnerability from cvelistv5
Published
2020-06-19 15:19
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.11.0. Invite IDs were improperly generated.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.550Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.11.0. Invite IDs were improperly generated."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T15:19:47",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20868",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.11.0. Invite IDs were improperly generated."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20868",
"datePublished": "2020-06-19T15:19:47",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.550Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-11083
Vulnerability from cvelistv5
Published
2020-06-19 19:29
Modified
2024-08-06 03:47
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 2.2.0. It allows XSS because it configures files to be opened in a browser window.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:47:34.924Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 2.2.0. It allows XSS because it configures files to be opened in a browser window."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T19:29:43",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-11083",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 2.2.0. It allows XSS because it configures files to be opened in a browser window."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-11083",
"datePublished": "2020-06-19T19:29:43",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-06T03:47:34.924Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-11077
Vulnerability from cvelistv5
Published
2020-06-19 19:28
Modified
2024-08-06 03:47
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 3.0.0. It has a superfluous API in which the System Admin can change the account name and e-mail address of an LDAP account.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:47:34.908Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.0.0. It has a superfluous API in which the System Admin can change the account name and e-mail address of an LDAP account."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T19:28:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-11077",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 3.0.0. It has a superfluous API in which the System Admin can change the account name and e-mail address of an LDAP account."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-11077",
"datePublished": "2020-06-19T19:28:01",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-06T03:47:34.908Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-11073
Vulnerability from cvelistv5
Published
2020-06-19 19:26
Modified
2024-08-06 03:47
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a Legal or Support setting.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:47:34.938Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a Legal or Support setting."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T19:26:32",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-11073",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a Legal or Support setting."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-11073",
"datePublished": "2020-06-19T19:26:32",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-06T03:47:34.938Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18885
Vulnerability from cvelistv5
Published
2020-06-19 18:10
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by accessing unintended API endpoints on a user's behalf.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.292Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by accessing unintended API endpoints on a user\u0027s behalf."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T18:10:29",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18885",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by accessing unintended API endpoints on a user\u0027s behalf."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18885",
"datePublished": "2020-06-19T18:10:29",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.292Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-21257
Vulnerability from cvelistv5
Published
2020-06-19 16:51
Modified
2024-08-05 12:26
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.1. It allows attackers to bypass intended access restrictions (for setting a channel header) via the Channel header slash command API.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:26:39.573Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.1. It allows attackers to bypass intended access restrictions (for setting a channel header) via the Channel header slash command API."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T16:51:47",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-21257",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.1. It allows attackers to bypass intended access restrictions (for setting a channel header) via the Channel header slash command API."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-21257",
"datePublished": "2020-06-19T16:51:47",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T12:26:39.573Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18873
Vulnerability from cvelistv5
Published
2020-06-19 17:44
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to cause a denial of service (channel invisibility) via a misformatted post.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.342Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to cause a denial of service (channel invisibility) via a misformatted post."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T17:44:12",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18873",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to cause a denial of service (channel invisibility) via a misformatted post."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18873",
"datePublished": "2020-06-19T17:44:12",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.342Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-11062
Vulnerability from cvelistv5
Published
2020-06-19 19:21
Modified
2024-08-06 03:47
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 3.5.1. E-mail address verification can be bypassed.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:47:34.701Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.5.1. E-mail address verification can be bypassed."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T19:21:50",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-11062",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 3.5.1. E-mail address verification can be bypassed."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-11062",
"datePublished": "2020-06-19T19:21:50",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-06T03:47:34.701Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-11082
Vulnerability from cvelistv5
Published
2020-06-19 19:29
Modified
2024-08-06 03:47
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 2.2.0. It allows XSS via a crafted link.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:47:34.639Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 2.2.0. It allows XSS via a crafted link."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T19:29:32",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-11082",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 2.2.0. It allows XSS via a crafted link."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-11082",
"datePublished": "2020-06-19T19:29:32",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-06T03:47:34.639Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18879
Vulnerability from cvelistv5
Published
2020-06-19 18:08
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via the author_link field of a Slack attachment.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.451Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via the author_link field of a Slack attachment."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T18:08:42",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18879",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via the author_link field of a Slack attachment."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18879",
"datePublished": "2020-06-19T18:08:42",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.451Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-21254
Vulnerability from cvelistv5
Published
2020-06-19 16:49
Modified
2024-08-05 12:26
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.1. An attacker can bypass intended access control (for direct-message channel creation) via the Message slash command.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:26:39.596Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.1. An attacker can bypass intended access control (for direct-message channel creation) via the Message slash command."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T16:49:54",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-21254",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.1. An attacker can bypass intended access control (for direct-message channel creation) via the Message slash command."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-21254",
"datePublished": "2020-06-19T16:49:54",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T12:26:39.596Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-21250
Vulnerability from cvelistv5
Published
2020-06-19 16:51
Modified
2024-08-05 12:26
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.2.2, 5.1.2, and 4.10.4. It allows remote attackers to cause a denial of service (memory consumption) via crafted image dimensions.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:26:39.562Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.2.2, 5.1.2, and 4.10.4. It allows remote attackers to cause a denial of service (memory consumption) via crafted image dimensions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T16:51:17",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-21250",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.2.2, 5.1.2, and 4.10.4. It allows remote attackers to cause a denial of service (memory consumption) via crafted image dimensions."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-21250",
"datePublished": "2020-06-19T16:51:17",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T12:26:39.562Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-27265
Vulnerability from cvelistv5
Published
2023-02-27 14:46
Modified
2024-12-06 23:06
Severity ?
EPSS score ?
Summary
Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the "Regenerate Invite Id" API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 5.12.0 ≤ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:09:42.689Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-27265",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T22:52:20.178801Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T23:06:38.055Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThan": "7.7.0",
"status": "affected",
"version": "5.12.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "foobar7"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eMattermost fails to honor the ShowEmailAddress setting when constructing a response to the \"Regenerate Invite Id\" API endpoint, allowing an attacker with team admin privileges to learn the team owner\u0027s email address in the response.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the \"Regenerate Invite Id\" API endpoint, allowing an attacker with team admin privileges to learn the team owner\u0027s email address in the response.\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-27T14:46:23.494Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost to version 7.7.0 or higher.\u003cbr\u003e"
}
],
"value": "Update Mattermost to version 7.7.0 or higher.\n"
}
],
"source": {
"advisory": "MMSA-2023-00133",
"defect": [
"https://mattermost.atlassian.net/browse/MM-47982"
],
"discovery": "EXTERNAL"
},
"title": "Disclosure of team owner email address when regenerating Invite ID",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-27265",
"datePublished": "2023-02-27T14:46:23.494Z",
"dateReserved": "2023-02-27T14:31:01.786Z",
"dateUpdated": "2024-12-06T23:06:38.055Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-3147
Vulnerability from cvelistv5
Published
2022-09-09 14:39
Modified
2024-12-06 23:08
Severity ?
EPSS score ?
Summary
Mattermost version 7.0.x and earlier fails to sufficiently limit the in-memory sizes of concurrently uploaded JPEG images, which allows authenticated users to cause resource exhaustion on specific system configurations, resulting in server-side Denial of Service.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_MISC | |
| https://hackerone.com/reports/1549513 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:00:10.674Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/1549513"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-3147",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T22:52:39.363894Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T23:08:00.683Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.0.x",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to Philippe Antoine (catenacyber) for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost version 7.0.x and earlier fails to sufficiently limit the in-memory sizes of concurrently uploaded JPEG images, which allows authenticated users to cause resource exhaustion on specific system configurations, resulting in server-side Denial of Service."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-09T14:39:51",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mattermost.com/security-updates/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/1549513"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to version v7.1 or higher."
}
],
"source": {
"advisory": "MMSA-2022-00113",
"defect": [
"https://mattermost.atlassian.net/browse/MM-43729"
],
"discovery": "EXTERNAL"
},
"title": "Server-side Denial of Service while processing a specifically crafted JPEG file",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsibledisclosure@mattermost.com",
"ID": "CVE-2022-3147",
"STATE": "PUBLIC",
"TITLE": "Server-side Denial of Service while processing a specifically crafted JPEG file"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mattermost",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "7.0.x"
}
]
}
}
]
},
"vendor_name": "Mattermost"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thanks to Philippe Antoine (catenacyber) for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Mattermost version 7.0.x and earlier fails to sufficiently limit the in-memory sizes of concurrently uploaded JPEG images, which allows authenticated users to cause resource exhaustion on specific system configurations, resulting in server-side Denial of Service."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "MISC",
"url": "https://mattermost.com/security-updates/"
},
{
"name": "https://hackerone.com/reports/1549513",
"refsource": "MISC",
"url": "https://hackerone.com/reports/1549513"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update Mattermost to version v7.1 or higher."
}
],
"source": {
"advisory": "MMSA-2022-00113",
"defect": [
"https://mattermost.atlassian.net/browse/MM-43729"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2022-3147",
"datePublished": "2022-09-09T14:39:51",
"dateReserved": "2022-09-07T00:00:00",
"dateUpdated": "2024-12-06T23:08:00.683Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20842
Vulnerability from cvelistv5
Published
2020-06-19 13:18
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. There is SQL injection by admins via SearchAllChannels.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.429Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. There is SQL injection by admins via SearchAllChannels."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T13:18:27",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20842",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. There is SQL injection by admins via SearchAllChannels."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20842",
"datePublished": "2020-06-19T13:18:27",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.429Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-45847
Vulnerability from cvelistv5
Published
2023-12-12 08:17
Modified
2024-12-02 16:58
Severity ?
EPSS score ?
Summary
Mattermost fails to to check the length when setting the title in a run checklist in Playbooks, allowing an attacker to send a specially crafted request and crash the Playbooks plugin
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 8.1.5 Version: 0 ≤ 9.0.3 Version: 0 ≤ 9.1.2 Version: 0 ≤ 9.2.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:29:32.513Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-45847",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-02T16:57:25.956750Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-02T16:58:14.026Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.0.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.2.2"
},
{
"status": "unaffected",
"version": "8.1.6"
},
{
"status": "unaffected",
"version": "9.0.4"
},
{
"status": "unaffected",
"version": "9.1.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "vultza (vultza)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to to check the length when setting the title in a run checklist in Playbooks, allowing an attacker to send a specially crafted request and crash the Playbooks plugin\u003c/p\u003e"
}
],
"value": "Mattermost fails to to check the length when setting the title in a run checklist in Playbooks, allowing an attacker to send a specially crafted request and crash the Playbooks plugin\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-12T08:17:10.088Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 8.1.6, 9.0.4, 9.1.3,\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e9.2.2\u0026nbsp;\u003c/span\u003eor higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 8.1.6, 9.0.4, 9.1.3,\u00a09.2.2\u00a0or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00231",
"defect": [
"https://mattermost.atlassian.net/browse/MM-53752"
],
"discovery": "EXTERNAL"
},
"title": " Playbook Plugin Crash via Run Checklist",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-45847",
"datePublished": "2023-12-12T08:17:10.088Z",
"dateReserved": "2023-12-05T08:04:35.036Z",
"dateUpdated": "2024-12-02T16:58:14.026Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20855
Vulnerability from cvelistv5
Published
2020-06-19 14:06
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.16.1, 5.15.2, 5.14.5, and 5.9.6. It allows attackers to obtain sensitive information (local files) during legacy attachment migration.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.392Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.16.1, 5.15.2, 5.14.5, and 5.9.6. It allows attackers to obtain sensitive information (local files) during legacy attachment migration."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T14:06:36",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20855",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.16.1, 5.15.2, 5.14.5, and 5.9.6. It allows attackers to obtain sensitive information (local files) during legacy attachment migration."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20855",
"datePublished": "2020-06-19T14:06:36",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.392Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-14447
Vulnerability from cvelistv5
Published
2020-06-19 13:04
Modified
2024-08-04 12:46
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.23.0. Large webhook requests allow attackers to cause a denial of service (infinite loop), aka MMSA-2020-0021.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:46:34.187Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.23.0. Large webhook requests allow attackers to cause a denial of service (infinite loop), aka MMSA-2020-0021."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T13:04:19",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-14447",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.23.0. Large webhook requests allow attackers to cause a denial of service (infinite loop), aka MMSA-2020-0021."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-14447",
"datePublished": "2020-06-19T13:04:19",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-04T12:46:34.187Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18878
Vulnerability from cvelistv5
Published
2020-06-19 18:08
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. Knowledge of a session ID allows revoking another user's session.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.337Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. Knowledge of a session ID allows revoking another user\u0027s session."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T18:08:20",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18878",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. Knowledge of a session ID allows revoking another user\u0027s session."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18878",
"datePublished": "2020-06-19T18:08:20",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.337Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-21252
Vulnerability from cvelistv5
Published
2020-06-19 17:44
Modified
2024-08-05 12:26
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.2, 5.1.1, 5.0.3, and 4.10.3. Attackers could use multiple e-mail addresses to bypass a domain-based policy for signups.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:26:39.449Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.2, 5.1.1, 5.0.3, and 4.10.3. Attackers could use multiple e-mail addresses to bypass a domain-based policy for signups."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T17:44:09",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-21252",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.2, 5.1.1, 5.0.3, and 4.10.3. Attackers could use multiple e-mail addresses to bypass a domain-based policy for signups."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-21252",
"datePublished": "2020-06-19T17:44:09",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T12:26:39.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-49607
Vulnerability from cvelistv5
Published
2023-12-12 08:21
Modified
2024-08-02 22:01
Severity ?
EPSS score ?
Summary
Mattermost fails to validate the type of the "reminder" body request parameter allowing an attacker to crash the Playbook Plugin when updating the status dialog.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 8.1.5 Version: 0 ≤ 9.0.3 Version: 0 ≤ 9.1.2 Version: 0 ≤ 9.2.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:01:26.012Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.0.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.2.2"
},
{
"status": "unaffected",
"version": "8.1.6"
},
{
"status": "unaffected",
"version": "9.0.4"
},
{
"status": "unaffected",
"version": "9.1.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "vultza (vultza)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to validate the type of the \"reminder\" body request parameter allowing an attacker to crash the Playbook Plugin when updating the status dialog.\u003c/p\u003e"
}
],
"value": "Mattermost fails to validate the type of the \"reminder\" body request parameter allowing an attacker to crash the Playbook Plugin when updating the status dialog.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-12T08:21:36.568Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Plugins to versions 9.2.2, 8.1.6, 9.0.4, 9.1.3 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Plugins to versions 9.2.2, 8.1.6, 9.0.4, 9.1.3 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00238",
"defect": [
"https://mattermost.atlassian.net/browse/MM-54150"
],
"discovery": "EXTERNAL"
},
"title": "Playbook plugin crash via missing interface type assertion",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-49607",
"datePublished": "2023-12-12T08:21:36.568Z",
"dateReserved": "2023-12-05T08:22:34.310Z",
"dateUpdated": "2024-08-02T22:01:26.012Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18898
Vulnerability from cvelistv5
Published
2020-06-19 18:43
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows crafted posts that potentially cause a web browser to hang.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.351Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows crafted posts that potentially cause a web browser to hang."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T18:43:19",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18898",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows crafted posts that potentially cause a web browser to hang."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18898",
"datePublished": "2020-06-19T18:43:19",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.351Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20881
Vulnerability from cvelistv5
Published
2020-06-19 16:29
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.8.0. It mishandles brute-force attacks against MFA.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.496Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.8.0. It mishandles brute-force attacks against MFA."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T16:29:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20881",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.8.0. It mishandles brute-force attacks against MFA."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20881",
"datePublished": "2020-06-19T16:29:01",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.496Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20858
Vulnerability from cvelistv5
Published
2020-06-19 14:11
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.15.0. It allows attackers to cause a denial of service (CPU consumption) via crafted characters in a SQL LIKE clause to an APIv4 endpoint.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.598Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.15.0. It allows attackers to cause a denial of service (CPU consumption) via crafted characters in a SQL LIKE clause to an APIv4 endpoint."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T14:11:43",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20858",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.15.0. It allows attackers to cause a denial of service (CPU consumption) via crafted characters in a SQL LIKE clause to an APIv4 endpoint."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20858",
"datePublished": "2020-06-19T14:11:43",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.598Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18889
Vulnerability from cvelistv5
Published
2020-06-19 18:08
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. An attacker could create fictive system-message posts via webhooks and slash commands, in the v3 or v4 REST API.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.306Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. An attacker could create fictive system-message posts via webhooks and slash commands, in the v3 or v4 REST API."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T18:08:54",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18889",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. An attacker could create fictive system-message posts via webhooks and slash commands, in the v3 or v4 REST API."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18889",
"datePublished": "2020-06-19T18:08:54",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.306Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20882
Vulnerability from cvelistv5
Published
2020-06-19 16:39
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.8.0. It does not honor the domain requirement when processing a join request for an open team.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.425Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.8.0. It does not honor the domain requirement when processing a join request for an open team."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T16:39:23",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20882",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.8.0. It does not honor the domain requirement when processing a join request for an open team."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20882",
"datePublished": "2020-06-19T16:39:23",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.425Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-21255
Vulnerability from cvelistv5
Published
2020-06-19 16:49
Modified
2024-08-05 12:26
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.1. Non-members of a channel could use the Channel PATCH API to modify that channel.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:26:39.573Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.1. Non-members of a channel could use the Channel PATCH API to modify that channel."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T16:49:55",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-21255",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.1. Non-members of a channel could use the Channel PATCH API to modify that channel."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-21255",
"datePublished": "2020-06-19T16:49:55",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T12:26:39.573Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18913
Vulnerability from cvelistv5
Published
2020-06-19 19:16
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. XSS can occur via a link on an error page.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.346Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. XSS can occur via a link on an error page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T19:16:09",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18913",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. XSS can occur via a link on an error page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18913",
"datePublished": "2020-06-19T19:16:09",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.346Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-45843
Vulnerability from cvelistv5
Published
2024-09-26 08:03
Modified
2024-09-26 13:11
Severity ?
EPSS score ?
Summary
Mattermost versions 9.5.x <= 9.5.8 fail to include the metadata endpoints of Oracle Cloud and Alibaba in the SSRF denylist, which allows an attacker to possibly cause an SSRF if Mattermost was deployed in Oracle Cloud or Alibaba.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 9.5.0 ≤ 9.5.8 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45843",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T13:11:45.717316Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T13:11:54.474Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.5.8",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.11.0"
},
{
"status": "unaffected",
"version": "9.5.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "DoyenSec"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.5.x \u0026lt;= 9.5.8 fail to include the\u0026nbsp;metadata endpoints of\u0026nbsp;Oracle Cloud and Alibaba in the SSRF denylist, which allows\u0026nbsp;an attacker to possibly cause an SSRF if Mattermost was deployed in Oracle Cloud or Alibaba.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.5.x \u003c= 9.5.8 fail to include the\u00a0metadata endpoints of\u00a0Oracle Cloud and Alibaba in the SSRF denylist, which allows\u00a0an attacker to possibly cause an SSRF if Mattermost was deployed in Oracle Cloud or Alibaba."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T08:03:41.827Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.11.0, 9.5.9 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.11.0, 9.5.9 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00369",
"defect": [
"https://mattermost.atlassian.net/browse/MM-59025"
],
"discovery": "EXTERNAL"
},
"title": "Weak SSRF Filtering",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-45843",
"datePublished": "2024-09-26T08:03:41.827Z",
"dateReserved": "2024-09-23T07:55:36.370Z",
"dateUpdated": "2024-09-26T13:11:54.474Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-5331
Vulnerability from cvelistv5
Published
2023-10-09 10:40
Modified
2024-09-05 19:47
Severity ?
EPSS score ?
Summary
Mattermost fails to properly check the creator of an attached file when adding the file to a draft post, potentially exposing unauthorized file information.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 7.8.10 Version: 0 ≤ 8.0.2 Version: 0 ≤ 8.1.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:52:08.561Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5331",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T19:46:54.511962Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T19:47:23.046Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.0.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.11"
},
{
"status": "unaffected",
"version": "8.0.3"
},
{
"status": "unaffected",
"version": "8.1.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "vultza (vultza)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to properly check the creator of an attached file when adding the file to a draft post,\u0026nbsp;potentially exposing unauthorized file information.\u003c/p\u003e"
}
],
"value": "Mattermost fails to properly check the creator of an attached file when adding the file to a draft post,\u00a0potentially exposing unauthorized file information.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-09T10:40:26.436Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 7.8.11, 8.0.3, 8.1.2\u0026nbsp;or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 7.8.11, 8.0.3, 8.1.2\u00a0or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00234",
"defect": [
"https://mattermost.atlassian.net/browse/MM-53948"
],
"discovery": "EXTERNAL"
},
"title": "File Information Leak via IDOR in file_id in Draft Posts",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-5331",
"datePublished": "2023-10-09T10:40:26.436Z",
"dateReserved": "2023-10-02T11:06:18.494Z",
"dateUpdated": "2024-09-05T19:47:23.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-41926
Vulnerability from cvelistv5
Published
2024-08-01 14:05
Modified
2024-08-01 14:32
Severity ?
EPSS score ?
Summary
Mattermost versions 9.9.x <= 9.9.0 and 9.5.x <= 9.5.6 fail to validate the source of sync messages and only allow the correct remote IDs, which allows a malicious remote to set arbitrary RemoteId values for synced users and therefore claim that a user was synced from another remote.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 9.9.0 Version: 9.5.0 ≤ 9.5.6 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41926",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-01T14:31:59.417867Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T14:32:10.107Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "9.9.0"
},
{
"lessThanOrEqual": "9.5.6",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.10.0"
},
{
"status": "unaffected",
"version": "9.9.1"
},
{
"status": "unaffected",
"version": "9.5.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Fors\u00e9n"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.9.x \u0026lt;= 9.9.0 and 9.5.x \u0026lt;= 9.5.6 fail to validate the source of sync messages and only allow the correct remote IDs,\u0026nbsp;which allows a malicious remote to\u0026nbsp;set arbitrary RemoteId values for synced users and therefore\u0026nbsp;claim that a user was synced from another remote.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.9.x \u003c= 9.9.0 and 9.5.x \u003c= 9.5.6 fail to validate the source of sync messages and only allow the correct remote IDs,\u00a0which allows a malicious remote to\u00a0set arbitrary RemoteId values for synced users and therefore\u00a0claim that a user was synced from another remote."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T14:05:10.650Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.10.0, 9.9.1, 9.5.7 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.10.0, 9.9.1, 9.5.7 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00343",
"defect": [
"https://mattermost.atlassian.net/browse/MM-58252"
],
"discovery": "INTERNAL"
},
"title": "Malicious remote can claim that a user was synced from another remote",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-41926",
"datePublished": "2024-08-01T14:05:10.650Z",
"dateReserved": "2024-07-23T18:35:14.800Z",
"dateUpdated": "2024-08-01T14:32:10.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-36250
Vulnerability from cvelistv5
Published
2024-11-09 17:18
Modified
2024-11-12 14:52
Severity ?
EPSS score ?
Summary
Mattermost versions 9.11.x <= 9.11.2, and 9.5.x <= 9.5.10 fail to protect the mfa code against replay attacks, which allows an attacker to reuse the MFA code within ~30 seconds
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 9.11.0 ≤ 9.11.2 Version: 9.5.0 ≤ 9.5.10 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36250",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T14:52:26.242892Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T14:52:39.191Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.11.2",
"status": "affected",
"version": "9.11.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.5.10",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "10.1.0"
},
{
"status": "unaffected",
"version": "9.11.3"
},
{
"status": "unaffected",
"version": "9.5.11"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "DoyenSec"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.11.x \u0026lt;= 9.11.2, and 9.5.x \u0026lt;= 9.5.10 fail to\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eprotect the mfa code against replay attacks\u003c/span\u003e, which allows an attacker to reuse the MFA code within\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;~30 seconds \u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.11.x \u003c= 9.11.2, and 9.5.x \u003c= 9.5.10 fail to\u00a0protect the mfa code against replay attacks, which allows an attacker to reuse the MFA code within\u00a0~30 seconds"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-303",
"description": "CWE-303: Incorrect Implementation of Authentication Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-09T17:18:34.703Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 10.1.0, 9.11.3, 9.5.11 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 10.1.0, 9.11.3, 9.5.11 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00370",
"defect": [
"https://mattermost.atlassian.net/browse/MM-59068"
],
"discovery": "EXTERNAL"
},
"title": "MFA Code Replay",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-36250",
"datePublished": "2024-11-09T17:18:34.703Z",
"dateReserved": "2024-11-05T09:14:34.842Z",
"dateUpdated": "2024-11-12T14:52:39.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-39839
Vulnerability from cvelistv5
Published
2024-08-01 14:05
Modified
2024-08-01 18:04
Severity ?
EPSS score ?
Summary
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow users to set their own remote username, when shared channels were enabled, which allows a user on a remote to set their remote username prop to an arbitrary string, which would be then synced to the local server as long as the user hadn't been synced before.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 9.9.0 Version: 9.5.0 ≤ 9.5.6 Version: 9.7.0 ≤ 9.7.5 Version: 9.8.0 ≤ 9.8.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39839",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-01T18:04:29.704681Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T18:04:42.351Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "9.9.0"
},
{
"lessThanOrEqual": "9.5.6",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.7.5",
"status": "affected",
"version": "9.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.8.1",
"status": "affected",
"version": "9.8.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.10.0"
},
{
"status": "unaffected",
"version": "9.9.1"
},
{
"status": "unaffected",
"version": "9.5.7"
},
{
"status": "unaffected",
"version": "9.7.6"
},
{
"status": "unaffected",
"version": "9.8.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Fors\u00e9n"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.9.x \u0026lt;= 9.9.0, 9.5.x \u0026lt;= 9.5.6, 9.7.x \u0026lt;= 9.7.5, 9.8.x \u0026lt;= 9.8.1 fail to disallow\u0026nbsp;users to set their own remote username, when shared channels were enabled, which allows a user on a remote to set their remote username prop to an arbitrary string, which would be then synced to the local server as long as the user hadn\u0027t been synced before.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.9.x \u003c= 9.9.0, 9.5.x \u003c= 9.5.6, 9.7.x \u003c= 9.7.5, 9.8.x \u003c= 9.8.1 fail to disallow\u00a0users to set their own remote username, when shared channels were enabled, which allows a user on a remote to set their remote username prop to an arbitrary string, which would be then synced to the local server as long as the user hadn\u0027t been synced before."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T14:05:07.339Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.10.0, 9.9.1, 9.5.7, 9.7.6, 9.8.2 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.10.0, 9.9.1, 9.5.7, 9.7.6, 9.8.2 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00354",
"defect": [
"https://mattermost.atlassian.net/browse/MM-58574"
],
"discovery": "INTERNAL"
},
"title": "Remote username set to an arbitrary string by remote user",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-39839",
"datePublished": "2024-08-01T14:05:07.339Z",
"dateReserved": "2024-07-23T18:35:14.805Z",
"dateUpdated": "2024-08-01T18:04:42.351Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-21253
Vulnerability from cvelistv5
Published
2020-06-19 16:45
Modified
2024-08-05 12:26
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.1, 5.0.2, and 4.10.2. An attacker could use the invite_people slash command to invite a non-permitted user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:26:39.550Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.1, 5.0.2, and 4.10.2. An attacker could use the invite_people slash command to invite a non-permitted user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T16:45:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-21253",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.1, 5.0.2, and 4.10.2. An attacker could use the invite_people slash command to invite a non-permitted user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-21253",
"datePublished": "2020-06-19T16:45:02",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T12:26:39.550Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18914
Vulnerability from cvelistv5
Published
2020-06-19 19:16
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. An external link can occur on an error page even if it is not on an allowlist.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.451Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. An external link can occur on an error page even if it is not on an allowlist."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T19:16:05",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18914",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. An external link can occur on an error page even if it is not on an allowlist."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18914",
"datePublished": "2020-06-19T19:16:05",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.451Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-1402
Vulnerability from cvelistv5
Published
2024-02-09 15:09
Modified
2024-08-01 18:40
Severity ?
EPSS score ?
Summary
Mattermost fails to check if a custom emoji reaction exists when sending it to a post and to limit the amount of custom emojis allowed to be added in a post, allowing an attacker sending a huge amount of non-existent custom emojis in a post to crash the mobile app of a user seeing the post and to crash the server due to overloading when clients attempt to retrive the aforementioned post.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 8.1.7 Version: 0 ≤ 9.1.4 Version: 0 ≤ 9.2.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1402",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-22T17:55:23.358517Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:00:45.030Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:40:20.579Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.7",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.1.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.2.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.3.0"
},
{
"status": "unaffected",
"version": "9.2.4"
},
{
"status": "unaffected",
"version": "9.1.5"
},
{
"status": "unaffected",
"version": "8.1.8"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Gian Klug (coderion)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to check if a custom emoji reaction exists when sending it to a post and to limit the amount of custom emojis allowed to be added in a post, allowing an attacker sending a huge amount of non-existent custom emojis in a post to crash the mobile app of a user seeing the post and to crash the server due to overloading when clients attempt to retrive the aforementioned post\u0026nbsp;\u003c/p\u003e"
}
],
"value": "Mattermost fails to check if a custom emoji reaction exists when sending it to a post and to limit the amount of custom emojis allowed to be added in a post, allowing an attacker sending a huge amount of non-existent custom emojis in a post to crash the mobile app of a user seeing the post and to crash the server due to overloading when clients attempt to retrive the aforementioned post.\u00a0\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-30T12:07:15.141Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.3.0, 9.2.4, 9.1.5, 8.1.8 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.3.0, 9.2.4, 9.1.5, 8.1.8 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00276",
"defect": [
"https://mattermost.atlassian.net/browse/MM-55142"
],
"discovery": "EXTERNAL"
},
"title": "Denial of service in mattermost mobile apps and server via emoji reactions",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-1402",
"datePublished": "2024-02-09T15:09:18.157Z",
"dateReserved": "2024-02-09T14:53:28.621Z",
"dateUpdated": "2024-08-01T18:40:20.579Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20845
Vulnerability from cvelistv5
Published
2020-06-19 13:27
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.18.0. It allows attackers to cause a denial of service (memory consumption) via a large Slack import.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.331Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.18.0. It allows attackers to cause a denial of service (memory consumption) via a large Slack import."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T13:27:42",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20845",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.18.0. It allows attackers to cause a denial of service (memory consumption) via a large Slack import."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20845",
"datePublished": "2020-06-19T13:27:42",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.331Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-2450
Vulnerability from cvelistv5
Published
2024-03-15 09:12
Modified
2024-08-02 20:35
Severity ?
EPSS score ?
Summary
Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to correctly verify account ownership when switching from email to SAML authentication, allowing an authenticated attacker to take over other user accounts via a crafted switch request under specific conditions.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 9.5.0 Version: 9.4.0 ≤ 9.4.2 Version: 9.3.0 ≤ 9.3.1 Version: 9.2.0 ≤ 9.2.5 Version: 8.1.0 ≤ 8.1.9 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:11:53.648Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"lessThan": "9.6.0",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThan": "9.4.3",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
},
{
"lessThan": "9.3.2",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThan": "9.2.6",
"status": "affected",
"version": "9.2.0",
"versionType": "semver"
},
{
"lessThan": "8.1.10",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2450",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-02T20:31:33.867157Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T20:35:32.666Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "9.5.0"
},
{
"lessThanOrEqual": "9.4.2",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.3.1",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.2.5",
"status": "affected",
"version": "9.2.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.9",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.6.0"
},
{
"status": "unaffected",
"version": "9.4.3"
},
{
"status": "unaffected",
"version": "9.5.1"
},
{
"status": "unaffected",
"version": "9.3.2"
},
{
"status": "unaffected",
"version": "9.2.6"
},
{
"status": "unaffected",
"version": "8.1.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Nurminen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to correctly verify account ownership when switching from email to SAML authentication, allowing an authenticated attacker to take over other user accounts via a crafted switch request under specific conditions.\u003c/p\u003e"
}
],
"value": "Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to correctly verify account ownership when switching from email to SAML authentication, allowing an authenticated attacker to take over other user accounts via a crafted switch request under specific conditions.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-15T09:12:28.880Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.6, 9.4.3, 9.5.1, 9.3.2, 9.2.6, 8.1.10 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.6, 9.4.3, 9.5.1, 9.3.2, 9.2.6, 8.1.10 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2024-00309",
"defect": [
"https://mattermost.atlassian.net/browse/MM-56751"
],
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-2450",
"datePublished": "2024-03-15T09:12:28.880Z",
"dateReserved": "2024-03-14T12:57:05.854Z",
"dateUpdated": "2024-08-02T20:35:32.666Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20889
Vulnerability from cvelistv5
Published
2020-06-19 16:47
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It mishandles permissions for user-access token creation.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.488Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It mishandles permissions for user-access token creation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T16:47:07",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20889",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It mishandles permissions for user-access token creation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20889",
"datePublished": "2020-06-19T16:47:07",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18916
Vulnerability from cvelistv5
Published
2020-06-19 19:19
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. API endpoint access control does not honor an integration permission restriction.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.319Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. API endpoint access control does not honor an integration permission restriction."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T19:19:12",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18916",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. API endpoint access control does not honor an integration permission restriction."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18916",
"datePublished": "2020-06-19T19:19:12",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.319Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20863
Vulnerability from cvelistv5
Published
2020-06-19 14:18
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.13.0. Incoming webhook creation is not properly restricted.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.472Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.13.0. Incoming webhook creation is not properly restricted."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T14:18:41",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20863",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.13.0. Incoming webhook creation is not properly restricted."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20863",
"datePublished": "2020-06-19T14:18:41",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.472Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-21251
Vulnerability from cvelistv5
Published
2020-06-19 16:49
Modified
2024-08-05 12:26
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.2 and 5.1.1. Authorization could be bypassed if the channel name were not the same in the params and the body.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:26:39.379Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.2 and 5.1.1. Authorization could be bypassed if the channel name were not the same in the params and the body."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T16:49:18",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-21251",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.2 and 5.1.1. Authorization could be bypassed if the channel name were not the same in the params and the body."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-21251",
"datePublished": "2020-06-19T16:49:18",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T12:26:39.379Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18872
Vulnerability from cvelistv5
Published
2020-06-19 17:44
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.4.3 and 4.3.3. Attackers could reconfigure an OAuth app in some cases where Mattermost is an OAuth 2.0 service provider.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.288Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.4.3 and 4.3.3. Attackers could reconfigure an OAuth app in some cases where Mattermost is an OAuth 2.0 service provider."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T17:44:11",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18872",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.4.3 and 4.3.3. Attackers could reconfigure an OAuth app in some cases where Mattermost is an OAuth 2.0 service provider."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18872",
"datePublished": "2020-06-19T17:44:11",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.288Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18921
Vulnerability from cvelistv5
Published
2020-06-19 19:21
Modified
2024-08-05 21:45
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 3.6.0 and 3.5.2. XSS can occur via a link on an error page.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:45:24.533Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.6.0 and 3.5.2. XSS can occur via a link on an error page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T19:21:28",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18921",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 3.6.0 and 3.5.2. XSS can occur via a link on an error page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18921",
"datePublished": "2020-06-19T19:21:28",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:45:24.533Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18893
Vulnerability from cvelistv5
Published
2020-06-19 18:10
Modified
2024-08-05 21:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. Display names allow XSS.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:37:44.301Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. Display names allow XSS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T18:10:57",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18893",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. Display names allow XSS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18893",
"datePublished": "2020-06-19T18:10:57",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T21:37:44.301Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-21260
Vulnerability from cvelistv5
Published
2020-06-19 16:49
Modified
2024-08-05 12:26
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.8.1, 4.7.4, and 4.6.3. WebSocket events were accidentally sent during certain user-management operations, violating user privacy.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:26:39.570Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.8.1, 4.7.4, and 4.6.3. WebSocket events were accidentally sent during certain user-management operations, violating user privacy."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T16:49:45",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-21260",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.8.1, 4.7.4, and 4.6.3. WebSocket events were accidentally sent during certain user-management operations, violating user privacy."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-21260",
"datePublished": "2020-06-19T16:49:45",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T12:26:39.570Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-2281
Vulnerability from cvelistv5
Published
2023-04-25 13:04
Modified
2024-12-06 23:04
Severity ?
EPSS score ?
Summary
When archiving a team, Mattermost fails to sanitize the related Websocket event sent to currently connected clients. This allows the clients to see the name, display name, description, and other data about the archived team.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:19:14.118Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2281",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T22:51:54.692210Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T23:04:46.320Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThan": "7.9",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Daniel Espino Garcia"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eWhen archiving a team, Mattermost fails to sanitize the related Websocket event sent to currently connected clients. This allows the clients to see the name, display name, description, and other data about the archived team.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "When archiving a team, Mattermost fails to sanitize the related Websocket event sent to currently connected clients. This allows the clients to see the name, display name, description, and other data about the archived team.\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-25T13:04:42.287Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost to version v7.9 or higher.\u003cbr\u003e"
}
],
"value": "Update Mattermost to version v7.9 or higher.\n"
}
],
"source": {
"advisory": "MMSA-2022-00128",
"defect": [
"https://mattermost.atlassian.net/browse/MM-49034"
],
"discovery": "INTERNAL"
},
"title": "Archiving a team broadcasts unsanitized data over WebSockets",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-2281",
"datePublished": "2023-04-25T13:04:42.287Z",
"dateReserved": "2023-04-25T13:04:22.071Z",
"dateUpdated": "2024-12-06T23:04:46.320Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-47858
Vulnerability from cvelistv5
Published
2024-01-02 09:54
Modified
2024-08-02 21:16
Severity ?
EPSS score ?
Summary
Mattermost fails to properly verify the permissions needed for viewing archived public channels, allowing a member of one team to get details about the archived public channels of another team via the GET /api/v4/teams/<team-id>/channels/deleted endpoint.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 9.2.2 Version: 0 ≤ 9.1.3 Version: 0 ≤ 9.0.4 Version: 0 ≤ 8.1.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:16:43.686Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.2.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.1.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.0.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.6",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "8.1.7"
},
{
"status": "unaffected",
"version": "9.0.5"
},
{
"status": "unaffected",
"version": "9.1.4"
},
{
"status": "unaffected",
"version": "9.2.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "vultza (vultza)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to properly verify the permissions needed for viewing archived public channels,\u0026nbsp;\u0026nbsp;allowing a member of one team to get details about the archived public channels of another team via the\u0026nbsp;GET /api/v4/teams/\u0026lt;team-id\u0026gt;/channels/deleted endpoint.\u003c/p\u003e"
}
],
"value": "Mattermost fails to properly verify the permissions needed for viewing archived public channels,\u00a0\u00a0allowing a member of one team to get details about the archived public channels of another team via the\u00a0GET /api/v4/teams/\u003cteam-id\u003e/channels/deleted endpoint.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-02T09:54:25.057Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 8.1.7, 9.0.5, 9.1.4, 9.2.3 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 8.1.7, 9.0.5, 9.1.4, 9.2.3 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00269",
"defect": [
"https://mattermost.atlassian.net/browse/MM-55005"
],
"discovery": "EXTERNAL"
},
"title": "Details of archived public channels are leaked to members of another team",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-47858",
"datePublished": "2024-01-02T09:54:25.057Z",
"dateReserved": "2023-12-21T08:00:43.436Z",
"dateUpdated": "2024-08-02T21:16:43.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-14453
Vulnerability from cvelistv5
Published
2020-06-19 13:10
Modified
2024-08-04 12:46
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.21.0. Socket read operations are not appropriately restricted, which allows attackers to cause a denial of service, aka MMSA-2020-0005.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:46:34.635Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.21.0. Socket read operations are not appropriately restricted, which allows attackers to cause a denial of service, aka MMSA-2020-0005."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T13:10:05",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-14453",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.21.0. Socket read operations are not appropriately restricted, which allows attackers to cause a denial of service, aka MMSA-2020-0005."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-14453",
"datePublished": "2020-06-19T13:10:05",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-04T12:46:34.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-3585
Vulnerability from cvelistv5
Published
2023-07-17 15:24
Modified
2024-10-21 19:43
Severity ?
EPSS score ?
Summary
Mattermost Boards fail to properly validate a board link, allowing an attacker to crash a channel by posting a specially crafted boards link.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 7.8.6 Version: 0 ≤ 7.9.4 Version: 0 ≤ 7.10.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:01:57.036Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3585",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T19:42:37.907997Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T19:43:02.507Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.6",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.9.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.10.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.7"
},
{
"status": "unaffected",
"version": "7.9.5"
},
{
"status": "unaffected",
"version": "7.10.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Ossi V\u00e4\u00e4n\u00e4nen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost Boards fail to properly validate a board link, allowing an attacker to crash a channel by\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eposting a specially crafted boards link.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Mattermost Boards fail to properly validate a board link, allowing an attacker to crash a channel by\u00a0posting a specially crafted boards link.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-17T15:24:20.975Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions v7.8.7,\u0026nbsp;v7.9.5,\u0026nbsp;v7.10.3 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions v7.8.7,\u00a0v7.9.5,\u00a0v7.10.3 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00168",
"defect": [
"https://mattermost.atlassian.net/browse/MM-51713"
],
"discovery": "EXTERNAL"
},
"title": "channel DoS by sharing a boards link",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-3585",
"datePublished": "2023-07-17T15:24:20.975Z",
"dateReserved": "2023-07-10T13:44:28.891Z",
"dateUpdated": "2024-10-21T19:43:02.507Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20880
Vulnerability from cvelistv5
Published
2020-06-19 16:29
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6.5, and 4.10.7. It allows attackers to cause a denial of service (memory consumption) via OpenGraph.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.499Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6.5, and 4.10.7. It allows attackers to cause a denial of service (memory consumption) via OpenGraph."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T16:29:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20880",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6.5, and 4.10.7. It allows attackers to cause a denial of service (memory consumption) via OpenGraph."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20880",
"datePublished": "2020-06-19T16:29:00",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.499Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-21264
Vulnerability from cvelistv5
Published
2020-06-19 17:44
Modified
2024-08-05 12:26
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. It did not enforce the expiration date of a SAML response.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:26:39.592Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. It did not enforce the expiration date of a SAML response."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T17:44:05",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-21264",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. It did not enforce the expiration date of a SAML response."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-21264",
"datePublished": "2020-06-19T17:44:05",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T12:26:39.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20866
Vulnerability from cvelistv5
Published
2020-06-19 15:13
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.12.0. Use of a Proxy HTTP header, rather than the source address in an IP packet header, for obtaining IP address information was mishandled.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.422Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.12.0. Use of a Proxy HTTP header, rather than the source address in an IP packet header, for obtaining IP address information was mishandled."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T15:13:15",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20866",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.12.0. Use of a Proxy HTTP header, rather than the source address in an IP packet header, for obtaining IP address information was mishandled."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20866",
"datePublished": "2020-06-19T15:13:15",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.422Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20886
Vulnerability from cvelistv5
Published
2020-06-19 16:45
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 5.8.0. The first user is sometimes inadvertently a system admin.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.450Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 5.8.0. The first user is sometimes inadvertently a system admin."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T16:45:44",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20886",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 5.8.0. The first user is sometimes inadvertently a system admin."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20886",
"datePublished": "2020-06-19T16:45:44",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.450Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-3614
Vulnerability from cvelistv5
Published
2023-07-17 15:32
Modified
2024-10-21 19:39
Severity ?
EPSS score ?
Summary
Mattermost fails to properly validate a gif image file, allowing an attacker to consume a significant amount of server resources, making the server unresponsive for an extended period of time by linking to specially crafted image file.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 0 ≤ 7.8.6 Version: 0 ≤ 7.9.4 Version: 0 ≤ 7.10.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:01:57.084Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3614",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T19:17:44.164995Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T19:39:59.068Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.6",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.9.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.10.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.7"
},
{
"status": "unaffected",
"version": "7.9.5"
},
{
"status": "unaffected",
"version": "7.10.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Juho Nurminen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to properly validate a gif image file, allowing an attacker to\u0026nbsp;consume a significant amount of server resources, making the server unresponsive for an extended period of time by\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;linking to specially crafted image file.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Mattermost fails to properly validate a gif image file, allowing an attacker to\u00a0consume a significant amount of server resources, making the server unresponsive for an extended period of time by\u00a0linking to specially crafted image file.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-17T15:32:16.646Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions\u0026nbsp;v7.8.7,\u0026nbsp;v7.9.5, v7.10.3 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions\u00a0v7.8.7,\u00a0v7.9.5, v7.10.3 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00190",
"defect": [
"https://mattermost.atlassian.net/browse/MM-52719"
],
"discovery": "INTERNAL"
},
"title": "Denial of Service via specially crafted gif image",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-3614",
"datePublished": "2023-07-17T15:32:16.646Z",
"dateReserved": "2023-07-11T09:04:11.707Z",
"dateUpdated": "2024-10-21T19:39:59.068Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-28949
Vulnerability from cvelistv5
Published
2024-04-05 08:14
Modified
2024-09-03 18:35
Severity ?
EPSS score ?
Summary
Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 don't limit the number of user preferences which allows an attacker to send a large number of user preferences potentially causing denial of service.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 9.5.0 ≤ 9.5.1 Version: 9.4.0 ≤ 9.4.3 Version: 9.3.0 ≤ 9.3.2 Version: 8.1.0 ≤ 8.1.10 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:03:51.100Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28949",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-07T17:54:07.197489Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T18:35:47.389Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.5.1",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.4.3",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.3.2",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.10",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.6.0"
},
{
"status": "unaffected",
"version": "9.5.2"
},
{
"status": "unaffected",
"version": "9.4.4"
},
{
"status": "unaffected",
"version": "9.3.3"
},
{
"status": "unaffected",
"version": "8.1.11"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "vultza (vultza)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 don\u0027t limit the number of user preferences which allows an attacker to send a large number of user preferences potentially causing denial of service.\u003c/p\u003e"
}
],
"value": "Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 don\u0027t limit the number of user preferences which allows an attacker to send a large number of user preferences potentially causing denial of service.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-05T08:14:09.878Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.6.0, 9.5.2, 9.4.4, 9.3.3, 8.1.11 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.6.0, 9.5.2, 9.4.4, 9.3.3, 8.1.11 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00274",
"defect": [
"https://mattermost.atlassian.net/browse/MM-55198"
],
"discovery": "EXTERNAL"
},
"title": "DoS via a large number of User Preferences",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-28949",
"datePublished": "2024-04-05T08:14:09.878Z",
"dateReserved": "2024-04-03T10:03:48.285Z",
"dateUpdated": "2024-09-03T18:35:47.389Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-41144
Vulnerability from cvelistv5
Published
2024-08-01 14:05
Modified
2024-08-05 16:58
Severity ?
EPSS score ?
Summary
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to properly validate synced posts, when shared channels are enabled, which allows a malicious remote to create/update/delete arbitrary posts in arbitrary channels
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Version: 9.9.0 Version: 9.5.0 ≤ 9.5.6 Version: 9.7.0 ≤ 9.7.5 Version: 9.8.0 ≤ 9.8.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41144",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T16:57:35.263257Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T16:58:34.663Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "9.9.0"
},
{
"lessThanOrEqual": "9.5.6",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.7.5",
"status": "affected",
"version": "9.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.8.1",
"status": "affected",
"version": "9.8.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.10.0"
},
{
"status": "unaffected",
"version": "9.9.1"
},
{
"status": "unaffected",
"version": "9.5.7"
},
{
"status": "unaffected",
"version": "9.7.6"
},
{
"status": "unaffected",
"version": "9.8.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Fors\u00e9n"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.9.x \u0026lt;= 9.9.0, 9.5.x \u0026lt;= 9.5.6, 9.7.x \u0026lt;= 9.7.5, 9.8.x \u0026lt;= 9.8.1 fail to properly validate\u0026nbsp;synced posts, when shared channels are enabled,\u0026nbsp;\u0026nbsp;which allows a malicious remote to create/update/delete arbitrary posts in arbitrary channels\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.9.x \u003c= 9.9.0, 9.5.x \u003c= 9.5.6, 9.7.x \u003c= 9.7.5, 9.8.x \u003c= 9.8.1 fail to properly validate\u00a0synced posts, when shared channels are enabled,\u00a0\u00a0which allows a malicious remote to create/update/delete arbitrary posts in arbitrary channels"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T14:05:08.491Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.10.0, 9.9.1, 9.5.7, 9.7.6, 9.8.2 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.10.0, 9.9.1, 9.5.7, 9.7.6, 9.8.2 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00355",
"defect": [
"https://mattermost.atlassian.net/browse/MM-58576"
],
"discovery": "INTERNAL"
},
"title": "Malicious remote can create/update/delete arbitrary posts in arbitrary channels",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-41144",
"datePublished": "2024-08-01T14:05:08.491Z",
"dateReserved": "2024-07-23T19:00:08.555Z",
"dateUpdated": "2024-08-05T16:58:34.663Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-11065
Vulnerability from cvelistv5
Published
2020-06-19 19:23
Modified
2024-08-06 03:47
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Server before 3.3.0. An attacker could use the WebSocket feature to send pop-up messages to users or change a post's appearance.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:47:34.555Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Server before 3.3.0. An attacker could use the WebSocket feature to send pop-up messages to users or change a post\u0027s appearance."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T19:23:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-11065",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Server before 3.3.0. An attacker could use the WebSocket feature to send pop-up messages to users or change a post\u0027s appearance."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-11065",
"datePublished": "2020-06-19T19:23:02",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-06T03:47:34.555Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}