Количество 232
Количество 232
GHSA-fc2h-j9fj-rh35
Mattermost versions 9.5.x <= 9.5.5 and 9.8.0 fail to properly sanitize the recipients of a webhook event which allows an attacker monitoring webhook events to retrieve the channel IDs of archived or restored channels.
GHSA-f56r-hfv8-q98c
Mattermost iOS app fails to properly validate the server certificate while initializing the TLS connection allowing a network attacker to intercept the WebSockets connection.
GHSA-cmc8-222c-vqp9
Mattermost failed to properly validate that the channel that comes from the sync message is a shared channel
GHSA-c6vp-jjgv-38wj
Mattermost allows remote/synthetic users to create sessions, reset passwords
GHSA-c37r-v8jx-7cv2
Mattermost Uncontrolled Resource Consumption vulnerability
GHSA-9v8g-3666-2499
Mattermost fails to sanitize ephemeral error messages, allowing an attacker to obtain arbitrary message contents by a specially crafted /groupmsg command.
GHSA-9rww-66w7-7vjx
Mattermost fails to sanitize post metadata
GHSA-9hwp-cj7m-wjw4
Mattermost Incorrect Authorization vulnerability
GHSA-9h27-89mr-2qm2
Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker possessing an authorization code to generate an access token.
GHSA-8m2w-p6c5-hh6c
Mattermost fails to check channel membership when accessing message threads, allowing an attacker to access arbitrary posts by using the message threads API.
GHSA-8jf2-78m7-7f8v
Mattermost fails to verify if the requestor is a sysadmin or not, before allowing `install` requests to the Apps allowing a regular user send install requests to the Apps.
GHSA-898c-6fq9-5cv9
Mattermost 6.1 and earlier fails to sufficiently validate permissions while viewing archived channels, which allows authenticated users to view contents of archived channels even when this is denied by system administrators by directly accessing the APIs.
GHSA-85jj-c9jr-9jhx
Mattermost Improper Access Control vulnerability
GHSA-8345-jr9c-vhph
Mattermost fails to properly truncate the postgres error log message of a search query failure allowing an attacker to cause the creation of large log files
GHSA-7rfw-qh9g-vg98
A missing permissions check in Mattermost Playbooks in Mattermost allows an attacker to modify a playbook via the /plugins/playbooks/api/v0/playbooks/[playbookID] API.
GHSA-7qj9-mfh7-vg26
Mattermost fails to validate links on external websites when constructing a preview for a linked website, allowing an attacker to cause a denial-of-service by a linking to a specially crafted webpage in a message.
GHSA-76jf-55hx-4969
Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and 9.5.x <= 9.5.5 fail to prevent users from specifying a RemoteId for their posts which allows an attacker to specify both a remoteId and the post ID, resulting in creating a post with a user-defined post ID. This can cause some broken functionality in the channel or thread with user-defined posts
GHSA-762m-4cx6-6mf4
Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling
GHSA-6xjj-v76v-fwpj
Mattermost does not validate requesting user permissions before updating admin details
GHSA-6vjc-mjgp-qm8w
An issue was discovered in Mattermost Mobile Apps before 1.31.2 on iOS. Unintended third-party servers could sometimes obtain authorization tokens, aka MMSA-2020-0022.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано | |
|---|---|---|---|---|
| GHSA-fc2h-j9fj-rh35 Mattermost versions 9.5.x <= 9.5.5 and 9.8.0 fail to properly sanitize the recipients of a webhook event which allows an attacker monitoring webhook events to retrieve the channel IDs of archived or restored channels. | CVSS3: 3.1 | 0% Низкий | 12 месяцев назад |
| GHSA-f56r-hfv8-q98c Mattermost iOS app fails to properly validate the server certificate while initializing the TLS connection allowing a network attacker to intercept the WebSockets connection. | CVSS3: 8.1 | 0% Низкий | почти 2 года назад |
| GHSA-cmc8-222c-vqp9 Mattermost failed to properly validate that the channel that comes from the sync message is a shared channel | CVSS3: 8.7 | 0% Низкий | 11 месяцев назад |
| GHSA-c6vp-jjgv-38wj Mattermost allows remote/synthetic users to create sessions, reset passwords | CVSS3: 4.8 | 0% Низкий | 10 месяцев назад |
| GHSA-c37r-v8jx-7cv2 Mattermost Uncontrolled Resource Consumption vulnerability | CVSS3: 4.3 | 0% Низкий | больше 1 года назад |
| GHSA-9v8g-3666-2499 Mattermost fails to sanitize ephemeral error messages, allowing an attacker to obtain arbitrary message contents by a specially crafted /groupmsg command. | CVSS3: 6.5 | 0% Низкий | около 2 лет назад |
| GHSA-9rww-66w7-7vjx Mattermost fails to sanitize post metadata | CVSS3: 4.5 | 0% Низкий | почти 2 года назад |
| GHSA-9hwp-cj7m-wjw4 Mattermost Incorrect Authorization vulnerability | CVSS3: 6.5 | 0% Низкий | больше 1 года назад |
| GHSA-9h27-89mr-2qm2 Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker possessing an authorization code to generate an access token. | CVSS3: 6.5 | 0% Низкий | около 2 лет назад |
| GHSA-8m2w-p6c5-hh6c Mattermost fails to check channel membership when accessing message threads, allowing an attacker to access arbitrary posts by using the message threads API. | CVSS3: 6.5 | 0% Низкий | около 2 лет назад |
| GHSA-8jf2-78m7-7f8v Mattermost fails to verify if the requestor is a sysadmin or not, before allowing `install` requests to the Apps allowing a regular user send install requests to the Apps. | CVSS3: 4.2 | 0% Низкий | около 2 лет назад |
| GHSA-898c-6fq9-5cv9 Mattermost 6.1 and earlier fails to sufficiently validate permissions while viewing archived channels, which allows authenticated users to view contents of archived channels even when this is denied by system administrators by directly accessing the APIs. | CVSS3: 6.5 | 0% Низкий | больше 3 лет назад |
| GHSA-85jj-c9jr-9jhx Mattermost Improper Access Control vulnerability | CVSS3: 4.3 | 0% Низкий | больше 1 года назад |
| GHSA-8345-jr9c-vhph Mattermost fails to properly truncate the postgres error log message of a search query failure allowing an attacker to cause the creation of large log files | CVSS3: 4.3 | 0% Низкий | около 2 лет назад |
| GHSA-7rfw-qh9g-vg98 A missing permissions check in Mattermost Playbooks in Mattermost allows an attacker to modify a playbook via the /plugins/playbooks/api/v0/playbooks/[playbookID] API. | CVSS3: 6.5 | 0% Низкий | больше 2 лет назад |
| GHSA-7qj9-mfh7-vg26 Mattermost fails to validate links on external websites when constructing a preview for a linked website, allowing an attacker to cause a denial-of-service by a linking to a specially crafted webpage in a message. | CVSS3: 6.5 | 0% Низкий | около 2 лет назад |
| GHSA-76jf-55hx-4969 Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and 9.5.x <= 9.5.5 fail to prevent users from specifying a RemoteId for their posts which allows an attacker to specify both a remoteId and the post ID, resulting in creating a post with a user-defined post ID. This can cause some broken functionality in the channel or thread with user-defined posts | CVSS3: 3.1 | 0% Низкий | 12 месяцев назад |
| GHSA-762m-4cx6-6mf4 Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling | CVSS3: 6.8 | 0% Низкий | 11 месяцев назад |
| GHSA-6xjj-v76v-fwpj Mattermost does not validate requesting user permissions before updating admin details | CVSS3: 6.7 | 0% Низкий | почти 2 года назад |
| GHSA-6vjc-mjgp-qm8w An issue was discovered in Mattermost Mobile Apps before 1.31.2 on iOS. Unintended third-party servers could sometimes obtain authorization tokens, aka MMSA-2020-0022. | 0% Низкий | около 3 лет назад |
Уязвимостей на страницу