Количество 232
Количество 232
GHSA-xvq6-h898-wcj8
Mattermost denial of service vulnerability
GHSA-wxj2-qc9p-65r3
Jenkins Mattermost Notification Plugin vulnerable to SSRF
GHSA-wmx6-cwpq-6j42
Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, which allows registered users with special permissions to invite guest users to inject unescaped HTML content in the email invitations.
GHSA-w6f5-pv84-q7wv
Mattermost fails to sanitize code permalinks, allowing an attacker to preview code from private repositories by posting a specially crafted permalink on a channel.
GHSA-w496-f5qq-m58j
Mattermost vulnerable to excessive memory consumption
GHSA-w3q2-jmrg-5rfm
Mattermost fails to check the "Show Full Name" setting when rendering the result for the /plugins/focalboard/api/v2/users API call, allowing an attacker to learn the full name of a board owner.
GHSA-vmvm-jjvw-qwpw
Mattermost versions 9.8.x <= 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and 9.5.x <= 9.5.5, when shared channels are enabled, fail to use constant time comparison for remote cluster tokens which allows an attacker to retrieve the remote cluster token via a timing attack during remote cluster token comparison.
GHSA-vc9q-cghx-53cj
Mattermost fails to normalize UTF confusable characters when determining if a preview should be generated for a hyperlink, allowing an attacker to trigger link preview on a disallowed domain using a specially crafted link.
GHSA-v42f-hq78-8c5m
Denial of service in Mattermost
GHSA-v39f-3xwx-xg8f
Mattermost versions 9.5.x <= 9.5.5 and 9.8.0 fail to sanitize the RemoteClusterFrame payloads before audit logging them which allows a high privileged attacker with access to the audit logs to read message contents.
GHSA-rvp5-8mrw-f62x
Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2, 9.5.x <= 9.5.5 fail to prevent specifying a RemoteId when creating a new user which allows an attacker to specify both a remoteId and the user ID, resulting in creating a user with a user-defined user ID. This can cause some broken functionality in User Management such administrative actions against the user not working.
GHSA-rp65-jpc7-8h8p
Mattermost Incorrect Authorization vulnerability
GHSA-rgjp-xw8g-3xwx
One of the API in Mattermost version 6.3.0 and earlier fails to properly protect the permissions, which allows the system administrators to combine the two distinct privileges/capabilities in a way that allows them to override certain restricted configurations like EnableUploads.
GHSA-r67m-mf7v-qp7j
Mattermost password hash disclosure vulnerability
GHSA-r4f6-w245-8wv4
Fixed a bypass for a reflected cross-site scripting vulnerability affecting OAuth-enabled instances of Mattermost.
GHSA-q22q-2rrf-m27p
Mattermost allows unsolicited invites to expose access to local channels
GHSA-p5pr-vm3j-jxxf
Mattermost Exposure of Sensitive Information to an Unauthorized Actor vulnerability
GHSA-p433-57hw-rf68
Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to enforce proper access controls which allows any authenticated user, including guests, to mark any channel inside any team as read for any user.
GHSA-p267-jjfq-pphf
Mattermost fails to check if user is a guest before performing actions on public playbooks
GHSA-m9m2-f9hg-rh66
When creating a playbook run via the /dialog API, Mattermost fails to validate all parameters, allowing an authenticated attacker to edit an arbitrary channel post.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано | |
|---|---|---|---|---|
| GHSA-xvq6-h898-wcj8 Mattermost denial of service vulnerability | CVSS3: 4.3 | 0% Низкий | больше 1 года назад |
| GHSA-wxj2-qc9p-65r3 Jenkins Mattermost Notification Plugin vulnerable to SSRF | CVSS3: 4.3 | 0% Низкий | около 3 лет назад |
| GHSA-wmx6-cwpq-6j42 Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, which allows registered users with special permissions to invite guest users to inject unescaped HTML content in the email invitations. | CVSS3: 5.4 | 0% Низкий | около 3 лет назад |
| GHSA-w6f5-pv84-q7wv Mattermost fails to sanitize code permalinks, allowing an attacker to preview code from private repositories by posting a specially crafted permalink on a channel. | CVSS3: 3.1 | 0% Низкий | около 2 лет назад |
| GHSA-w496-f5qq-m58j Mattermost vulnerable to excessive memory consumption | CVSS3: 5.3 | 0% Низкий | больше 1 года назад |
| GHSA-w3q2-jmrg-5rfm Mattermost fails to check the "Show Full Name" setting when rendering the result for the /plugins/focalboard/api/v2/users API call, allowing an attacker to learn the full name of a board owner. | CVSS3: 4.3 | 0% Низкий | около 2 лет назад |
| GHSA-vmvm-jjvw-qwpw Mattermost versions 9.8.x <= 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and 9.5.x <= 9.5.5, when shared channels are enabled, fail to use constant time comparison for remote cluster tokens which allows an attacker to retrieve the remote cluster token via a timing attack during remote cluster token comparison. | CVSS3: 8.1 | 0% Низкий | 12 месяцев назад |
| GHSA-vc9q-cghx-53cj Mattermost fails to normalize UTF confusable characters when determining if a preview should be generated for a hyperlink, allowing an attacker to trigger link preview on a disallowed domain using a specially crafted link. | CVSS3: 4.3 | 0% Низкий | около 2 лет назад |
| GHSA-v42f-hq78-8c5m Denial of service in Mattermost | CVSS3: 6.5 | 0% Низкий | больше 2 лет назад |
| GHSA-v39f-3xwx-xg8f Mattermost versions 9.5.x <= 9.5.5 and 9.8.0 fail to sanitize the RemoteClusterFrame payloads before audit logging them which allows a high privileged attacker with access to the audit logs to read message contents. | CVSS3: 2.7 | 0% Низкий | 12 месяцев назад |
| GHSA-rvp5-8mrw-f62x Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2, 9.5.x <= 9.5.5 fail to prevent specifying a RemoteId when creating a new user which allows an attacker to specify both a remoteId and the user ID, resulting in creating a user with a user-defined user ID. This can cause some broken functionality in User Management such administrative actions against the user not working. | CVSS3: 5.3 | 0% Низкий | 12 месяцев назад |
| GHSA-rp65-jpc7-8h8p Mattermost Incorrect Authorization vulnerability | CVSS3: 2.7 | 0% Низкий | больше 1 года назад |
| GHSA-rgjp-xw8g-3xwx One of the API in Mattermost version 6.3.0 and earlier fails to properly protect the permissions, which allows the system administrators to combine the two distinct privileges/capabilities in a way that allows them to override certain restricted configurations like EnableUploads. | CVSS3: 4.9 | 0% Низкий | около 3 лет назад |
| GHSA-r67m-mf7v-qp7j Mattermost password hash disclosure vulnerability | CVSS3: 4.9 | 0% Низкий | больше 1 года назад |
| GHSA-r4f6-w245-8wv4 Fixed a bypass for a reflected cross-site scripting vulnerability affecting OAuth-enabled instances of Mattermost. | 45% Средний | около 3 лет назад | |
| GHSA-q22q-2rrf-m27p Mattermost allows unsolicited invites to expose access to local channels | CVSS3: 8.7 | 0% Низкий | 11 месяцев назад |
| GHSA-p5pr-vm3j-jxxf Mattermost Exposure of Sensitive Information to an Unauthorized Actor vulnerability | CVSS3: 4.3 | 0% Низкий | больше 1 года назад |
| GHSA-p433-57hw-rf68 Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to enforce proper access controls which allows any authenticated user, including guests, to mark any channel inside any team as read for any user. | CVSS3: 4.3 | 0% Низкий | 10 месяцев назад |
| GHSA-p267-jjfq-pphf Mattermost fails to check if user is a guest before performing actions on public playbooks | CVSS3: 6.3 | 0% Низкий | почти 2 года назад |
| GHSA-m9m2-f9hg-rh66 When creating a playbook run via the /dialog API, Mattermost fails to validate all parameters, allowing an authenticated attacker to edit an arbitrary channel post. | CVSS3: 4.3 | 0% Низкий | около 2 лет назад |
Уязвимостей на страницу