Mattermost — безопасная платформа для совместной работы, позволяющая объединить ваши команды, инструменты и процессы для ускорения критически важной работы.

Релизный цикл, информация об уязвимостях

Продукт: Mattermost

Вендор: Mattermost

График релизов

Недавние уязвимости Mattermost

Количество 245

CVE-2024-6428

больше 1 года назад

Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2, 9.5.x <= 9. ...

CVSS3: 5.3

EPSS: Низкий

CVE-2024-39830

больше 1 года назад

Mattermost versions 9.8.x <= 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and 9.5.x <= 9.5.5, when shared channels are enabled, fail to use constant time comparison for remote cluster tokens which allows an attacker to retrieve the remote cluster token via a timing attack during remote cluster token comparison.

CVSS3: 8.1

EPSS: Низкий

CVE-2024-39830

больше 1 года назад

Mattermost versions 9.8.x <= 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and ...

CVSS3: 8.1

EPSS: Низкий

CVE-2024-39807

больше 1 года назад

Mattermost versions 9.5.x <= 9.5.5 and 9.8.0 fail to properly sanitize the recipients of a webhook event which allows an attacker monitoring webhook events to retrieve the channel IDs of archived or restored channels.

CVSS3: 3.1

EPSS: Низкий

CVE-2024-39807

больше 1 года назад

Mattermost versions 9.5.x <= 9.5.5 and 9.8.0fail to properly sanitize ...

CVSS3: 3.1

EPSS: Низкий

CVE-2024-39361

больше 1 года назад

Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and 9.5.x <= 9.5.5 fail to prevent users from specifying a RemoteId for their posts which allows an attacker to specify both a remoteId and the post ID, resulting in creating a post with a user-defined post ID. This can cause some broken functionality in the channel or thread with user-defined posts

CVSS3: 3.1

EPSS: Низкий

CVE-2024-39361

больше 1 года назад

Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and 9.5.x <= ...

CVSS3: 3.1

EPSS: Низкий

CVE-2024-39353

больше 1 года назад

Mattermost versions 9.5.x <= 9.5.5 and 9.8.0 fail to sanitize the RemoteClusterFrame payloads before audit logging them which allows a high privileged attacker with access to the audit logs to read message contents.

CVSS3: 2.7

EPSS: Низкий

CVE-2024-39353

больше 1 года назад

Mattermost versions 9.5.x <= 9.5.5 and 9.8.0 fail to sanitize the Remo ...

CVSS3: 2.7

EPSS: Низкий

CVE-2024-36257

больше 1 года назад

Mattermost versions 9.5.x <= 9.5.5 and 9.8.0, when using shared channels with multiple remote servers connected, fail to check that the remote server A requesting the server B to update the profile picture of a user is the remote that actually has the user as a local one . This allows a malicious remote A to change the profile images of users that belong to another remote server C that is connected to the server A.

CVSS3: 2.7

EPSS: Низкий

Уязвимостей на страницу

Уязвимость	CVSS	EPSS	Опубликовано 1
CVE-2024-6428 Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2, 9.5.x <= 9. ...	CVSS3: 5.3	0% Низкий	больше 1 года назад
CVE-2024-39830 Mattermost versions 9.8.x <= 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and 9.5.x <= 9.5.5, when shared channels are enabled, fail to use constant time comparison for remote cluster tokens which allows an attacker to retrieve the remote cluster token via a timing attack during remote cluster token comparison.	CVSS3: 8.1	0% Низкий	больше 1 года назад
CVE-2024-39830 Mattermost versions 9.8.x <= 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and ...	CVSS3: 8.1	0% Низкий	больше 1 года назад
CVE-2024-39807 Mattermost versions 9.5.x <= 9.5.5 and 9.8.0 fail to properly sanitize the recipients of a webhook event which allows an attacker monitoring webhook events to retrieve the channel IDs of archived or restored channels.	CVSS3: 3.1	0% Низкий	больше 1 года назад
CVE-2024-39807 Mattermost versions 9.5.x <= 9.5.5 and 9.8.0fail to properly sanitize ...	CVSS3: 3.1	0% Низкий	больше 1 года назад
CVE-2024-39361 Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and 9.5.x <= 9.5.5 fail to prevent users from specifying a RemoteId for their posts which allows an attacker to specify both a remoteId and the post ID, resulting in creating a post with a user-defined post ID. This can cause some broken functionality in the channel or thread with user-defined posts	CVSS3: 3.1	0% Низкий	больше 1 года назад
CVE-2024-39361 Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and 9.5.x <= ...	CVSS3: 3.1	0% Низкий	больше 1 года назад
CVE-2024-39353 Mattermost versions 9.5.x <= 9.5.5 and 9.8.0 fail to sanitize the RemoteClusterFrame payloads before audit logging them which allows a high privileged attacker with access to the audit logs to read message contents.	CVSS3: 2.7	0% Низкий	больше 1 года назад
CVE-2024-39353 Mattermost versions 9.5.x <= 9.5.5 and 9.8.0 fail to sanitize the Remo ...	CVSS3: 2.7	0% Низкий	больше 1 года назад
CVE-2024-36257 Mattermost versions 9.5.x <= 9.5.5 and 9.8.0, when using shared channels with multiple remote servers connected, fail to check that the remote server A requesting the server B to update the profile picture of a user is the remote that actually has the user as a local one . This allows a malicious remote A to change the profile images of users that belong to another remote server C that is connected to the server A.	CVSS3: 2.7	0% Низкий	больше 1 года назад

Уязвимостей на страницу