| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-18884 | — | Hig | 0.53 | 8.1 | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by using a registered OAuth application with personal access tokens. | |
| CVE-2018-21264 | Hig | 0.57 | 8.8 | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. It did not enforce the expiration date of a SAML response. | ||
| CVE-2020-8184 | — | Hig | 0.42 | 7.5 | 0.03 | Jun 19, 2020 | A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix. | |
| CVE-2020-8164 | — | Hig | 0.49 | 7.5 | 0.04 | Jun 19, 2020 | A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters. | |
| CVE-2020-8162 | — | Hig | 0.49 | 7.5 | 0.03 | Jun 19, 2020 | A client side enforcement of server side security vulnerability exists in rails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user bypassing upload limits. | |
| CVE-2019-20888 | Hig | 0.42 | 7.5 | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It allows attackers to cause a denial of service (memory consumption) via an outgoing webhook or a slash command integration. | ||
| CVE-2019-20886 | Hig | 0.49 | 7.5 | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.8.0. The first user is sometimes inadvertently a system admin. | ||
| CVE-2019-20885 | Hig | 0.49 | 7.5 | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.8.0. It does not always generate a robots.txt file. | ||
| CVE-2019-20881 | Hig | 0.48 | 7.3 | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.8.0. It mishandles brute-force attacks against MFA. | ||
| CVE-2019-20880 | Hig | 0.49 | 7.5 | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6.5, and 4.10.7. It allows attackers to cause a denial of service (memory consumption) via OpenGraph. | ||
| CVE-2018-21263 | Hig | 0.57 | 8.8 | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. An attacker could authenticate to a different user's account via a crafted SAML response. | ||
| CVE-2018-21262 | Hig | 0.49 | 7.5 | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 4.7.3. It allows attackers to cause a denial of service (application crash) via invalid LaTeX text. | ||
| CVE-2018-21258 | — | Hig | 0.42 | 7.5 | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.1. It allows attackers to cause a denial of service via the invite_people slash command. | |
| CVE-2018-21248 | Hig | 0.49 | 7.5 | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.4.0. It mishandles possession of superfluous authentication credentials. | ||
| CVE-2017-18871 | — | Hig | 0.49 | 7.5 | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, 4.3.4, and 4.2.2. It allows attackers to cause a denial of service (application crash) via an @ character before a JavaScript field name. | |
| CVE-2019-20874 | Hig | 0.49 | 7.5 | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information during a role change. | ||
| CVE-2019-20871 | Hig | 0.49 | 7.5 | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. The Markdown library allows catastrophic backtracking. | ||
| CVE-2019-20868 | Hig | 0.42 | 7.5 | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.11.0. Invite IDs were improperly generated. | ||
| CVE-2019-20865 | Hig | 0.57 | 8.8 | 0.00 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.12.0, 5.11.1, 5.10.2, 5.9.2, and 4.10.10. The login page allows CSRF. | ||
| CVE-2019-20864 | Hig | 0.49 | 7.5 | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Plugins before 5.13.0. The GitHub plugin allows an attacker to attach his Mattermost account to a different person's GitHub account. | ||
| CVE-2019-20863 | Hig | 0.42 | 7.5 | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.13.0. Incoming webhook creation is not properly restricted. | ||
| CVE-2019-20862 | Hig | 0.42 | 7.5 | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.13.0. Non-members may fetch a team's slash commands. | ||
| CVE-2019-20861 | Hig | 0.50 | 8.8 | 0.02 | Jun 19, 2020 | An issue was discovered in Mattermost Desktop App before 4.2.2. It allows attackers to execute arbitrary code via a crafted link. | ||
| CVE-2019-20859 | Hig | 0.42 | 7.5 | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.15.0. Login access control can be bypassed via crafted input. | ||
| CVE-2019-20858 | Hig | 0.42 | 7.5 | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.15.0. It allows attackers to cause a denial of service (CPU consumption) via crafted characters in a SQL LIKE clause to an APIv4 endpoint. | ||
| CVE-2019-20857 | Hig | 0.42 | 7.5 | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.16.0. It allows attackers to cause a denial of service (markdown renderer hang) via many backtick characters. | ||
| CVE-2019-20855 | Hig | 0.42 | 7.5 | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.16.1, 5.15.2, 5.14.5, and 5.9.6. It allows attackers to obtain sensitive information (local files) during legacy attachment migration. | ||
| CVE-2019-20854 | Hig | 0.42 | 7.5 | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.17.0. It allows remote attackers to cause a denial of service (client-side application crash) via a LaTeX message. | ||
| CVE-2019-20852 | Hig | 0.42 | 7.5 | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Mobile Apps before 1.26.0. Local logging is not blocked for sensitive information (e.g., server addresses or message content). | ||
| CVE-2020-14459 | Hig | 0.49 | 7.5 | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.19.0. Attackers can rename a channel and cause a collision with a direct message, aka MMSA-2020-0002. | ||
| CVE-2020-14458 | Hig | 0.49 | 7.5 | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.19.0. Attackers can discover private channels via the "get channel by name" API, aka MMSA-2020-0004. | ||
| CVE-2020-14456 | Hig | 0.47 | 7.3 | 0.00 | Jun 19, 2020 | An issue was discovered in Mattermost Desktop App before 4.4.0. The Same Origin Policy is mishandled during access-control decisions for web APIs, aka MMSA-2020-0006. | ||
| CVE-2020-14453 | Hig | 0.49 | 7.5 | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.21.0. Socket read operations are not appropriately restricted, which allows attackers to cause a denial of service, aka MMSA-2020-0005. | ||
| CVE-2020-14451 | Hig | 0.49 | 7.5 | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Mobile Apps before 1.29.0. The iOS app allowed Single Sign-On cookies and Local Storage to remain after a logout, aka MMSA-2020-0013. | ||
| CVE-2020-14450 | Hig | 0.49 | 7.5 | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.22.0. The markdown renderer allows attackers to cause a denial of service (client-side), aka MMSA-2020-0017. | ||
| CVE-2020-14449 | Hig | 0.49 | 7.5 | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Mobile Apps before 1.30.0. Authorization tokens can sometimes be disclosed to third-party servers, aka MMSA-2020-0018. | ||
| CVE-2020-14448 | Hig | 0.49 | 7.5 | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.23.0. Automatic direct message replies allow attackers to cause a denial of service (infinite loop), aka MMSA-2020-0020. | ||
| CVE-2020-14447 | Hig | 0.49 | 7.5 | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.23.0. Large webhook requests allow attackers to cause a denial of service (infinite loop), aka MMSA-2020-0021. | ||
| CVE-2019-20848 | Hig | 0.49 | 7.5 | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Mobile Apps before 1.26.0. The Quick Reply feature mishandles crafted replies. | ||
| CVE-2019-20846 | Hig | 0.49 | 7.5 | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.18.0. It has weak permissions for server-local file storage. | ||
| CVE-2019-20845 | Hig | 0.49 | 7.5 | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.18.0. It allows attackers to cause a denial of service (memory consumption) via a large Slack import. | ||
| CVE-2019-20843 | Hig | 0.49 | 7.5 | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. There are weak permissions for configuration files. | ||
| CVE-2019-20842 | Hig | 0.47 | 7.2 | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. There is SQL injection by admins via SearchAllChannels. | ||
| CVE-2019-20841 | Hig | 0.57 | 8.8 | 0.00 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. CSRF can sometimes occur via a crafted web site for account takeover attacks. | ||
| CVE-2020-7679 | Hig | 0.48 | 7.3 | 0.02 | Jun 19, 2020 | In all versions of package casperjs, the mergeObjects utility function is susceptible to Prototype Pollution. | ||
| CVE-2020-14019 | — | Hig | 0.44 | 7.8 | 0.00 | Jun 19, 2020 | Open-iSCSI rtslib-fb through 2.1.72 has weak permissions for /etc/target/saveconfig.json because shutil.copyfile (instead of shutil.copy) is used, and thus permissions are not preserved. | |
| CVE-2020-5590 | Hig | 0.53 | 8.1 | 0.02 | Jun 19, 2020 | Directory traversal vulnerability in EC-CUBE 3.0.0 to 3.0.18 and 4.0.0 to 4.0.3 allows remote authenticated attackers to delete arbitrary files and/or directories on the server via unspecified vectors. | ||
| CVE-2020-4059 | Hig | 0.41 | 7.3 | 0.03 | Jun 18, 2020 | In mversion before 2.0.0, there is a command injection vulnerability. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This vulnerability is patched by version 2.0.0. Previous releases are deprecated in… | ||
| CVE-2020-12887 | Hig | 0.00 | 7.5 | 0.02 | Jun 18, 2020 | Memory leaks were discovered in the CoAP library in Arm Mbed OS 5.15.3 when using the Arm mbed-coap library 5.1.5. The CoAP parser is responsible for parsing received CoAP packets. The function sn_coap_parser_options_parse() parses the CoAP option number field of all options… | ||
| CVE-2020-12885 | Hig | 0.00 | 7.5 | 0.01 | Jun 18, 2020 | An infinite loop was discovered in the CoAP library in Arm Mbed OS 5.15.3. The CoAP parser is responsible for parsing received CoAP packets. The function sn_coap_parser_options_parse_multiple_options() parses CoAP options in a while loop. This loop's exit condition is computed… |
- risk 0.53cvss 8.1epss 0.01
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by using a registered OAuth application with personal access tokens.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. It did not enforce the expiration date of a SAML response.
- risk 0.42cvss 7.5epss 0.03
A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix.
- risk 0.49cvss 7.5epss 0.04
A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters.
- risk 0.49cvss 7.5epss 0.03
A client side enforcement of server side security vulnerability exists in rails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user bypassing upload limits.
- risk 0.42cvss 7.5epss 0.01
An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It allows attackers to cause a denial of service (memory consumption) via an outgoing webhook or a slash command integration.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Mattermost Server before 5.8.0. The first user is sometimes inadvertently a system admin.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Mattermost Server before 5.8.0. It does not always generate a robots.txt file.
- risk 0.48cvss 7.3epss 0.01
An issue was discovered in Mattermost Server before 5.8.0. It mishandles brute-force attacks against MFA.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6.5, and 4.10.7. It allows attackers to cause a denial of service (memory consumption) via OpenGraph.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. An attacker could authenticate to a different user's account via a crafted SAML response.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Mattermost Server before 4.7.3. It allows attackers to cause a denial of service (application crash) via invalid LaTeX text.
- risk 0.42cvss 7.5epss 0.01
An issue was discovered in Mattermost Server before 5.1. It allows attackers to cause a denial of service via the invite_people slash command.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Mattermost Server before 5.4.0. It mishandles possession of superfluous authentication credentials.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, 4.3.4, and 4.2.2. It allows attackers to cause a denial of service (application crash) via an @ character before a JavaScript field name.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information during a role change.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. The Markdown library allows catastrophic backtracking.
- risk 0.42cvss 7.5epss 0.01
An issue was discovered in Mattermost Server before 5.11.0. Invite IDs were improperly generated.
- risk 0.57cvss 8.8epss 0.00
An issue was discovered in Mattermost Server before 5.12.0, 5.11.1, 5.10.2, 5.9.2, and 4.10.10. The login page allows CSRF.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Mattermost Plugins before 5.13.0. The GitHub plugin allows an attacker to attach his Mattermost account to a different person's GitHub account.
- risk 0.42cvss 7.5epss 0.01
An issue was discovered in Mattermost Server before 5.13.0. Incoming webhook creation is not properly restricted.
- risk 0.42cvss 7.5epss 0.01
An issue was discovered in Mattermost Server before 5.13.0. Non-members may fetch a team's slash commands.
- risk 0.50cvss 8.8epss 0.02
An issue was discovered in Mattermost Desktop App before 4.2.2. It allows attackers to execute arbitrary code via a crafted link.
- risk 0.42cvss 7.5epss 0.01
An issue was discovered in Mattermost Server before 5.15.0. Login access control can be bypassed via crafted input.
- risk 0.42cvss 7.5epss 0.01
An issue was discovered in Mattermost Server before 5.15.0. It allows attackers to cause a denial of service (CPU consumption) via crafted characters in a SQL LIKE clause to an APIv4 endpoint.
- risk 0.42cvss 7.5epss 0.01
An issue was discovered in Mattermost Server before 5.16.0. It allows attackers to cause a denial of service (markdown renderer hang) via many backtick characters.
- risk 0.42cvss 7.5epss 0.01
An issue was discovered in Mattermost Server before 5.16.1, 5.15.2, 5.14.5, and 5.9.6. It allows attackers to obtain sensitive information (local files) during legacy attachment migration.
- risk 0.42cvss 7.5epss 0.01
An issue was discovered in Mattermost Server before 5.17.0. It allows remote attackers to cause a denial of service (client-side application crash) via a LaTeX message.
- risk 0.42cvss 7.5epss 0.01
An issue was discovered in Mattermost Mobile Apps before 1.26.0. Local logging is not blocked for sensitive information (e.g., server addresses or message content).
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Mattermost Server before 5.19.0. Attackers can rename a channel and cause a collision with a direct message, aka MMSA-2020-0002.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Mattermost Server before 5.19.0. Attackers can discover private channels via the "get channel by name" API, aka MMSA-2020-0004.
- risk 0.47cvss 7.3epss 0.00
An issue was discovered in Mattermost Desktop App before 4.4.0. The Same Origin Policy is mishandled during access-control decisions for web APIs, aka MMSA-2020-0006.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Mattermost Server before 5.21.0. Socket read operations are not appropriately restricted, which allows attackers to cause a denial of service, aka MMSA-2020-0005.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Mattermost Mobile Apps before 1.29.0. The iOS app allowed Single Sign-On cookies and Local Storage to remain after a logout, aka MMSA-2020-0013.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Mattermost Server before 5.22.0. The markdown renderer allows attackers to cause a denial of service (client-side), aka MMSA-2020-0017.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Mattermost Mobile Apps before 1.30.0. Authorization tokens can sometimes be disclosed to third-party servers, aka MMSA-2020-0018.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Mattermost Server before 5.23.0. Automatic direct message replies allow attackers to cause a denial of service (infinite loop), aka MMSA-2020-0020.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Mattermost Server before 5.23.0. Large webhook requests allow attackers to cause a denial of service (infinite loop), aka MMSA-2020-0021.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Mattermost Mobile Apps before 1.26.0. The Quick Reply feature mishandles crafted replies.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Mattermost Server before 5.18.0. It has weak permissions for server-local file storage.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Mattermost Server before 5.18.0. It allows attackers to cause a denial of service (memory consumption) via a large Slack import.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. There are weak permissions for configuration files.
- risk 0.47cvss 7.2epss 0.01
An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. There is SQL injection by admins via SearchAllChannels.
- risk 0.57cvss 8.8epss 0.00
An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. CSRF can sometimes occur via a crafted web site for account takeover attacks.
- risk 0.48cvss 7.3epss 0.02
In all versions of package casperjs, the mergeObjects utility function is susceptible to Prototype Pollution.
- risk 0.44cvss 7.8epss 0.00
Open-iSCSI rtslib-fb through 2.1.72 has weak permissions for /etc/target/saveconfig.json because shutil.copyfile (instead of shutil.copy) is used, and thus permissions are not preserved.
- risk 0.53cvss 8.1epss 0.02
Directory traversal vulnerability in EC-CUBE 3.0.0 to 3.0.18 and 4.0.0 to 4.0.3 allows remote authenticated attackers to delete arbitrary files and/or directories on the server via unspecified vectors.
- risk 0.41cvss 7.3epss 0.03
In mversion before 2.0.0, there is a command injection vulnerability. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This vulnerability is patched by version 2.0.0. Previous releases are deprecated in…
- risk 0.00cvss 7.5epss 0.02
Memory leaks were discovered in the CoAP library in Arm Mbed OS 5.15.3 when using the Arm mbed-coap library 5.1.5. The CoAP parser is responsible for parsing received CoAP packets. The function sn_coap_parser_options_parse() parses the CoAP option number field of all options…
- risk 0.00cvss 7.5epss 0.01
An infinite loop was discovered in the CoAP library in Arm Mbed OS 5.15.3. The CoAP parser is responsible for parsing received CoAP packets. The function sn_coap_parser_options_parse_multiple_options() parses CoAP options in a while loop. This loop's exit condition is computed…