VYPR

Go modules package

github.com/mattermost/mattermost-server/v6

pkg:golang/github.com/mattermost/mattermost-server/v6

Vulnerabilities (47)

  • CVE-2023-40703MedNov 27, 2023
    affected < 7.8.13fixed 7.8.13

    Mattermost fails to properly limit the characters allowed in different fields of a block in Mattermost Boards allowing a attacker to consume excessive resources, possibly leading to Denial of Service, by patching the field of a block using a specially crafted string. 

  • CVE-2023-35075LowNov 27, 2023
    affected < 7.8.13fixed 7.8.13

    Mattermost fails to use  innerText / textContent when setting the channel name in the webapp during autocomplete, allowing an attacker to inject HTML to a victim's page by create a channel name that is valid HTML. No XSS is possible though. 

  • CVE-2023-47865MedNov 27, 2023
    affected < 7.8.13fixed 7.8.13

    Mattermost fails to check if hardened mode is enabled when overriding the username and/or the icon when posting a post. If settings allowed integrations to override the username and profile picture when posting, a member could also override the username and icon when making a pos

  • CVE-2023-5969MedNov 6, 2023
    affected < 7.8.12fixed 7.8.12

    Mattermost fails to properly sanitize the request to /api/v4/redirect_location allowing an attacker, sending a specially crafted request to /api/v4/redirect_location, to fill up the memory due to caching large items.

  • CVE-2023-5968MedNov 6, 2023
    affected >= 5.4.0-rc1, < 7.8.12fixed 7.8.12

    Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body. 

  • CVE-2023-5967MedNov 6, 2023
    affected < 7.8.12fixed 7.8.12

    Mattermost fails to properly validate requests to the Calls plugin, allowing an attacker sending a request without a User Agent header to cause a panic and crash the Calls plugin

  • CVE-2023-5196MedSep 29, 2023
    affected < 7.8.10fixed 7.8.10

    Mattermost fails to enforce character limits in all possible notification props allowing an attacker to send a really long value for a notification_prop resulting in the server consuming an abnormal quantity of computing resources and possibly becoming temporarily unavailable for

  • CVE-2023-5195MedSep 29, 2023
    affected < 7.8.10fixed 7.8.10

    Mattermost fails to properly validate the permissions when soft deleting a team allowing a team member to soft delete other teams that they are not part of

  • CVE-2023-5194LowSep 29, 2023
    affected < 7.8.10fixed 7.8.10

    Mattermost fails to properly validate permissions when demoting and deactivating a user allowing for a system/user manager to demote / deactivate another manager

  • CVE-2023-5193MedSep 29, 2023
    affected < 7.8.10fixed 7.8.10

    Mattermost fails to properly check permissions when retrieving a post allowing for a System Role with the permission to manage channels to read the posts of a DM conversation.

  • CVE-2023-5159LowSep 29, 2023
    affected < 7.8.10fixed 7.8.10

    Mattermost fails to properly verify the permissions when managing/updating a bot allowing a User Manager role with user edit permissions to manage/update bots.

  • CVE-2023-4108MedAug 11, 2023
    affected < 7.8.8fixed 7.8.8

    Mattermost fails to sanitize post metadata during audit logging resulting in permalinks contents being logged

  • CVE-2023-4107MedAug 11, 2023
    affected < 7.8.8fixed 7.8.8

    Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin's details such as email, first name and last name.

  • CVE-2023-4106MedAug 11, 2023
    affected >= 7.9.0, < 7.9.6fixed 7.9.6

    Mattermost fails to check if the requesting user is a guest before performing different actions to public playbooks, resulting a guest being able to view, join, edit, export and archive public playbooks.

  • CVE-2023-4105LowAug 11, 2023
    affected >= 7.9.0, < 7.9.6fixed 7.9.6

    Mattermost fails to delete the attachments when deleting a message in a thread allowing a simple user to still be able to access and download the attachment of a deleted message

  • CVE-2023-2783MedJun 16, 2023
    affected >= 7.10.0, < 7.10.1fixed 7.10.1

    Mattermost Apps Framework fails to verify that a secret provided in the incoming webhook request allowing an attacker to modify the contents of the post sent by the Apps.

  • CVE-2023-2515MedMay 12, 2023
    affected < 7.1.8fixed 7.1.8

    Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin

  • CVE-2023-1777MedMar 31, 2023
    affected >= 6.3.0, < 7.1.6fixed 7.1.6

    Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message.

  • CVE-2023-1776HigMar 31, 2023
    affected >= 6.0.0, < 7.1.6fixed 7.1.6

    Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file.

  • CVE-2023-1775MedMar 31, 2023
    affected >= 6.0.0, < 7.1.6fixed 7.1.6

    When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients.