Bitnami package
mattermost
pkg:bitnami/mattermost
Vulnerabilities (104)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-25068 | — | >= 9.11.0, < 10.0.0 | 10.0.0 | Mar 21, 2025 | Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to enforce MFA on plugin endpoints, which allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes. | ||
| CVE-2025-24920 | — | >= 9.11.0, < 10.0.0 | 10.0.0 | Mar 21, 2025 | Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to restrict bookmark creation and updates in archived channels, which allows authenticated users created or update bookmarked in archived channels | ||
| CVE-2025-30179 | — | >= 9.11.0, < 10.0.0 | 10.0.0 | Mar 21, 2025 | Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to enforce MFA on certain search APIs, which allows authenticated attackers to bypass MFA protections via user search, channel search, or team search queries. | ||
| CVE-2025-25274 | — | >= 9.11.0, < 10.0.0 | 10.0.0 | Mar 21, 2025 | Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to restrict command execution in archived channels, which allows authenticated users to run commands in archived channels. | ||
| CVE-2025-27933 | — | >= 9.11.0, < 10.0.0 | 10.0.0 | Mar 21, 2025 | Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to fail to enforce channel conversion restrictions, which allows members with permission to convert public channels to private ones to also convert private ones to public | ||
| CVE-2025-27715 | — | >= 9.11.0, < 10.0.0 | 10.0.0 | Mar 21, 2025 | Mattermost versions 9.11.x <= 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team admins to joining private channels via crafted permalink links without explicit consent from them. | ||
| CVE-2024-52032 | — | >= 9.11.0, < 9.11.3 | 9.11.3 | Nov 9, 2024 | Mattermost versions 10.0.x <= 10.0.0 and 9.11.x <= 9.11.2 fail to properly query ElasticSearch when searching for the channel name in channel switcher which allows an attacker to get private channels names of channels that they are not a member of, when Elasticsearch v8 was enabl | ||
| CVE-2024-36250 | — | >= 9.5.0, < 9.5.11 | 9.5.11 | Nov 9, 2024 | Mattermost versions 9.11.x <= 9.11.2, and 9.5.x <= 9.5.10 fail to protect the mfa code against replay attacks, which allows an attacker to reuse the MFA code within ~30 seconds | ||
| CVE-2024-42000 | — | >= 9.5.0, < 9.5.10 | 9.5.10 | Nov 9, 2024 | Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 and 10.0.x <= 10.0.0 fail to properly authorize the requests to /api/v4/channels which allows a User or System Manager, with "Read Groups" permission but with no access for channels to retrieve details about | ||
| CVE-2024-46872 | — | >= 9.5.0, <= 9.5.9 | — | Oct 29, 2024 | Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in Playbooks | ||
| CVE-2024-47003 | — | >= 9.5.0, < 9.5.9 | 9.5.9 | Sep 26, 2024 | Mattermost versions 9.11.x <= 9.11.0 and 9.5.x <= 9.5.8 fail to validate that the message of the permalink post is a string, which allows an attacker to send a non-string value as the message of a permalink post and crash the frontend. | ||
| CVE-2024-42406 | — | >= 9.5.0, < 9.5.9 | 9.5.9 | Sep 26, 2024 | Mattermost versions 9.11.x <= 9.11.0, 9.10.x <= 9.10.1, 9.9.x <= 9.9.2 and 9.5.x <= 9.5.8 fail to properly authorize requests when viewing archived channels is disabled, which allows an attacker to retrieve post and file information about archived channels. Examples are flagged o | ||
| CVE-2024-45843 | — | >= 9.5.0, < 9.5.9 | 9.5.9 | Sep 26, 2024 | Mattermost versions 9.5.x <= 9.5.8 fail to include the metadata endpoints of Oracle Cloud and Alibaba in the SSRF denylist, which allows an attacker to possibly cause an SSRF if Mattermost was deployed in Oracle Cloud or Alibaba. | ||
| CVE-2024-47145 | — | >= 9.5.0, < 9.5.9 | 9.5.9 | Sep 26, 2024 | Mattermost versions 9.5.x <= 9.5.8 fail to properly authorize access to archived channels when viewing archived channels is disabled, which allows an attacker to view posts and files of archived channels via file links. | ||
| CVE-2024-45835 | — | < 5.9.0 | 5.9.0 | Sep 16, 2024 | Mattermost Desktop App versions <=5.8.0 fail to sufficiently configure Electron Fuses which allows an attacker to gather Chromium cookies or abuse other misconfigurations via remote/local access. | ||
| CVE-2024-39772 | — | < 5.9.0 | 5.9.0 | Sep 16, 2024 | Mattermost Desktop App versions <=5.8.0 fail to safeguard screen capture functionality which allows an attacker to silently capture high-quality screenshots via JavaScript APIs. | ||
| CVE-2024-43780 | — | >= 9.5.0, < 9.5.8 | 9.5.8 | Aug 22, 2024 | Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.0, 9.8.x <= 9.8.2 fail to enforce permissions which allows a guest user with read access to upload files to a channel. | ||
| CVE-2024-42497 | — | >= 9.5.0, < 9.5.8 | 9.5.8 | Aug 22, 2024 | Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to properly enforce permissions which allows a user with systems manager role with read-only access to teams to perform write operations on teams. | ||
| CVE-2024-40884 | — | >= 9.5.0, < 9.5.8 | 9.5.8 | Aug 22, 2024 | Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to properly enforce permissions which allows a team admin user without "Add Team Members" permission to disable the invite URL. | ||
| CVE-2024-41926 | — | >= 9.5.0, < 9.5.7 | 9.5.7 | Aug 1, 2024 | Mattermost versions 9.9.x <= 9.9.0 and 9.5.x <= 9.5.6 fail to validate the source of sync messages and only allow the correct remote IDs, which allows a malicious remote to set arbitrary RemoteId values for synced users and therefore claim that a user was synced from another remo |
- CVE-2025-25068Mar 21, 2025affected >= 9.11.0, < 10.0.0fixed 10.0.0
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to enforce MFA on plugin endpoints, which allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes.
- CVE-2025-24920Mar 21, 2025affected >= 9.11.0, < 10.0.0fixed 10.0.0
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to restrict bookmark creation and updates in archived channels, which allows authenticated users created or update bookmarked in archived channels
- CVE-2025-30179Mar 21, 2025affected >= 9.11.0, < 10.0.0fixed 10.0.0
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to enforce MFA on certain search APIs, which allows authenticated attackers to bypass MFA protections via user search, channel search, or team search queries.
- CVE-2025-25274Mar 21, 2025affected >= 9.11.0, < 10.0.0fixed 10.0.0
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to restrict command execution in archived channels, which allows authenticated users to run commands in archived channels.
- CVE-2025-27933Mar 21, 2025affected >= 9.11.0, < 10.0.0fixed 10.0.0
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to fail to enforce channel conversion restrictions, which allows members with permission to convert public channels to private ones to also convert private ones to public
- CVE-2025-27715Mar 21, 2025affected >= 9.11.0, < 10.0.0fixed 10.0.0
Mattermost versions 9.11.x <= 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team admins to joining private channels via crafted permalink links without explicit consent from them.
- CVE-2024-52032Nov 9, 2024affected >= 9.11.0, < 9.11.3fixed 9.11.3
Mattermost versions 10.0.x <= 10.0.0 and 9.11.x <= 9.11.2 fail to properly query ElasticSearch when searching for the channel name in channel switcher which allows an attacker to get private channels names of channels that they are not a member of, when Elasticsearch v8 was enabl
- CVE-2024-36250Nov 9, 2024affected >= 9.5.0, < 9.5.11fixed 9.5.11
Mattermost versions 9.11.x <= 9.11.2, and 9.5.x <= 9.5.10 fail to protect the mfa code against replay attacks, which allows an attacker to reuse the MFA code within ~30 seconds
- CVE-2024-42000Nov 9, 2024affected >= 9.5.0, < 9.5.10fixed 9.5.10
Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 and 10.0.x <= 10.0.0 fail to properly authorize the requests to /api/v4/channels which allows a User or System Manager, with "Read Groups" permission but with no access for channels to retrieve details about
- CVE-2024-46872Oct 29, 2024affected >= 9.5.0, <= 9.5.9
Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in Playbooks
- CVE-2024-47003Sep 26, 2024affected >= 9.5.0, < 9.5.9fixed 9.5.9
Mattermost versions 9.11.x <= 9.11.0 and 9.5.x <= 9.5.8 fail to validate that the message of the permalink post is a string, which allows an attacker to send a non-string value as the message of a permalink post and crash the frontend.
- CVE-2024-42406Sep 26, 2024affected >= 9.5.0, < 9.5.9fixed 9.5.9
Mattermost versions 9.11.x <= 9.11.0, 9.10.x <= 9.10.1, 9.9.x <= 9.9.2 and 9.5.x <= 9.5.8 fail to properly authorize requests when viewing archived channels is disabled, which allows an attacker to retrieve post and file information about archived channels. Examples are flagged o
- CVE-2024-45843Sep 26, 2024affected >= 9.5.0, < 9.5.9fixed 9.5.9
Mattermost versions 9.5.x <= 9.5.8 fail to include the metadata endpoints of Oracle Cloud and Alibaba in the SSRF denylist, which allows an attacker to possibly cause an SSRF if Mattermost was deployed in Oracle Cloud or Alibaba.
- CVE-2024-47145Sep 26, 2024affected >= 9.5.0, < 9.5.9fixed 9.5.9
Mattermost versions 9.5.x <= 9.5.8 fail to properly authorize access to archived channels when viewing archived channels is disabled, which allows an attacker to view posts and files of archived channels via file links.
- CVE-2024-45835Sep 16, 2024affected < 5.9.0fixed 5.9.0
Mattermost Desktop App versions <=5.8.0 fail to sufficiently configure Electron Fuses which allows an attacker to gather Chromium cookies or abuse other misconfigurations via remote/local access.
- CVE-2024-39772Sep 16, 2024affected < 5.9.0fixed 5.9.0
Mattermost Desktop App versions <=5.8.0 fail to safeguard screen capture functionality which allows an attacker to silently capture high-quality screenshots via JavaScript APIs.
- CVE-2024-43780Aug 22, 2024affected >= 9.5.0, < 9.5.8fixed 9.5.8
Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.0, 9.8.x <= 9.8.2 fail to enforce permissions which allows a guest user with read access to upload files to a channel.
- CVE-2024-42497Aug 22, 2024affected >= 9.5.0, < 9.5.8fixed 9.5.8
Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to properly enforce permissions which allows a user with systems manager role with read-only access to teams to perform write operations on teams.
- CVE-2024-40884Aug 22, 2024affected >= 9.5.0, < 9.5.8fixed 9.5.8
Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to properly enforce permissions which allows a team admin user without "Add Team Members" permission to disable the invite URL.
- CVE-2024-41926Aug 1, 2024affected >= 9.5.0, < 9.5.7fixed 9.5.7
Mattermost versions 9.9.x <= 9.9.0 and 9.5.x <= 9.5.6 fail to validate the source of sync messages and only allow the correct remote IDs, which allows a malicious remote to set arbitrary RemoteId values for synced users and therefore claim that a user was synced from another remo
Page 1 of 6