Go modules package
github.com/mattermost/mattermost-server/v6
pkg:golang/github.com/mattermost/mattermost-server/v6
Vulnerabilities (47)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-40703 | Med | 4.3 | < 7.8.13 | 7.8.13 | Nov 27, 2023 | Mattermost fails to properly limit the characters allowed in different fields of a block in Mattermost Boards allowing a attacker to consume excessive resources, possibly leading to Denial of Service, by patching the field of a block using a specially crafted string. | |
| CVE-2023-35075 | Low | 3.1 | < 7.8.13 | 7.8.13 | Nov 27, 2023 | Mattermost fails to use innerText / textContent when setting the channel name in the webapp during autocomplete, allowing an attacker to inject HTML to a victim's page by create a channel name that is valid HTML. No XSS is possible though. | |
| CVE-2023-47865 | Med | 4.3 | < 7.8.13 | 7.8.13 | Nov 27, 2023 | Mattermost fails to check if hardened mode is enabled when overriding the username and/or the icon when posting a post. If settings allowed integrations to override the username and profile picture when posting, a member could also override the username and icon when making a pos | |
| CVE-2023-5969 | Med | 5.3 | < 7.8.12 | 7.8.12 | Nov 6, 2023 | Mattermost fails to properly sanitize the request to /api/v4/redirect_location allowing an attacker, sending a specially crafted request to /api/v4/redirect_location, to fill up the memory due to caching large items. | |
| CVE-2023-5968 | Med | 4.9 | >= 5.4.0-rc1, < 7.8.12 | 7.8.12 | Nov 6, 2023 | Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body. | |
| CVE-2023-5967 | Med | 4.3 | < 7.8.12 | 7.8.12 | Nov 6, 2023 | Mattermost fails to properly validate requests to the Calls plugin, allowing an attacker sending a request without a User Agent header to cause a panic and crash the Calls plugin | |
| CVE-2023-5196 | Med | 6.5 | < 7.8.10 | 7.8.10 | Sep 29, 2023 | Mattermost fails to enforce character limits in all possible notification props allowing an attacker to send a really long value for a notification_prop resulting in the server consuming an abnormal quantity of computing resources and possibly becoming temporarily unavailable for | |
| CVE-2023-5195 | Med | 6.5 | < 7.8.10 | 7.8.10 | Sep 29, 2023 | Mattermost fails to properly validate the permissions when soft deleting a team allowing a team member to soft delete other teams that they are not part of | |
| CVE-2023-5194 | Low | 2.7 | < 7.8.10 | 7.8.10 | Sep 29, 2023 | Mattermost fails to properly validate permissions when demoting and deactivating a user allowing for a system/user manager to demote / deactivate another manager | |
| CVE-2023-5193 | Med | 4.9 | < 7.8.10 | 7.8.10 | Sep 29, 2023 | Mattermost fails to properly check permissions when retrieving a post allowing for a System Role with the permission to manage channels to read the posts of a DM conversation. | |
| CVE-2023-5159 | Low | 3.8 | < 7.8.10 | 7.8.10 | Sep 29, 2023 | Mattermost fails to properly verify the permissions when managing/updating a bot allowing a User Manager role with user edit permissions to manage/update bots. | |
| CVE-2023-4108 | Med | 4.5 | < 7.8.8 | 7.8.8 | Aug 11, 2023 | Mattermost fails to sanitize post metadata during audit logging resulting in permalinks contents being logged | |
| CVE-2023-4107 | Med | 6.7 | < 7.8.8 | 7.8.8 | Aug 11, 2023 | Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin's details such as email, first name and last name. | |
| CVE-2023-4106 | Med | 6.3 | >= 7.9.0, < 7.9.6 | 7.9.6 | Aug 11, 2023 | Mattermost fails to check if the requesting user is a guest before performing different actions to public playbooks, resulting a guest being able to view, join, edit, export and archive public playbooks. | |
| CVE-2023-4105 | Low | 3.1 | >= 7.9.0, < 7.9.6 | 7.9.6 | Aug 11, 2023 | Mattermost fails to delete the attachments when deleting a message in a thread allowing a simple user to still be able to access and download the attachment of a deleted message | |
| CVE-2023-2783 | Med | 4.3 | >= 7.10.0, < 7.10.1 | 7.10.1 | Jun 16, 2023 | Mattermost Apps Framework fails to verify that a secret provided in the incoming webhook request allowing an attacker to modify the contents of the post sent by the Apps. | |
| CVE-2023-2515 | Med | 4.7 | < 7.1.8 | 7.1.8 | May 12, 2023 | Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin | |
| CVE-2023-1777 | Med | 6.5 | >= 6.3.0, < 7.1.6 | 7.1.6 | Mar 31, 2023 | Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message. | |
| CVE-2023-1776 | Hig | 7.3 | >= 6.0.0, < 7.1.6 | 7.1.6 | Mar 31, 2023 | Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file. | |
| CVE-2023-1775 | Med | 4.3 | >= 6.0.0, < 7.1.6 | 7.1.6 | Mar 31, 2023 | When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients. |
- affected < 7.8.13fixed 7.8.13
Mattermost fails to properly limit the characters allowed in different fields of a block in Mattermost Boards allowing a attacker to consume excessive resources, possibly leading to Denial of Service, by patching the field of a block using a specially crafted string.
- affected < 7.8.13fixed 7.8.13
Mattermost fails to use innerText / textContent when setting the channel name in the webapp during autocomplete, allowing an attacker to inject HTML to a victim's page by create a channel name that is valid HTML. No XSS is possible though.
- affected < 7.8.13fixed 7.8.13
Mattermost fails to check if hardened mode is enabled when overriding the username and/or the icon when posting a post. If settings allowed integrations to override the username and profile picture when posting, a member could also override the username and icon when making a pos
- affected < 7.8.12fixed 7.8.12
Mattermost fails to properly sanitize the request to /api/v4/redirect_location allowing an attacker, sending a specially crafted request to /api/v4/redirect_location, to fill up the memory due to caching large items.
- affected >= 5.4.0-rc1, < 7.8.12fixed 7.8.12
Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body.
- affected < 7.8.12fixed 7.8.12
Mattermost fails to properly validate requests to the Calls plugin, allowing an attacker sending a request without a User Agent header to cause a panic and crash the Calls plugin
- affected < 7.8.10fixed 7.8.10
Mattermost fails to enforce character limits in all possible notification props allowing an attacker to send a really long value for a notification_prop resulting in the server consuming an abnormal quantity of computing resources and possibly becoming temporarily unavailable for
- affected < 7.8.10fixed 7.8.10
Mattermost fails to properly validate the permissions when soft deleting a team allowing a team member to soft delete other teams that they are not part of
- affected < 7.8.10fixed 7.8.10
Mattermost fails to properly validate permissions when demoting and deactivating a user allowing for a system/user manager to demote / deactivate another manager
- affected < 7.8.10fixed 7.8.10
Mattermost fails to properly check permissions when retrieving a post allowing for a System Role with the permission to manage channels to read the posts of a DM conversation.
- affected < 7.8.10fixed 7.8.10
Mattermost fails to properly verify the permissions when managing/updating a bot allowing a User Manager role with user edit permissions to manage/update bots.
- affected < 7.8.8fixed 7.8.8
Mattermost fails to sanitize post metadata during audit logging resulting in permalinks contents being logged
- affected < 7.8.8fixed 7.8.8
Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin's details such as email, first name and last name.
- affected >= 7.9.0, < 7.9.6fixed 7.9.6
Mattermost fails to check if the requesting user is a guest before performing different actions to public playbooks, resulting a guest being able to view, join, edit, export and archive public playbooks.
- affected >= 7.9.0, < 7.9.6fixed 7.9.6
Mattermost fails to delete the attachments when deleting a message in a thread allowing a simple user to still be able to access and download the attachment of a deleted message
- affected >= 7.10.0, < 7.10.1fixed 7.10.1
Mattermost Apps Framework fails to verify that a secret provided in the incoming webhook request allowing an attacker to modify the contents of the post sent by the Apps.
- affected < 7.1.8fixed 7.1.8
Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin
- affected >= 6.3.0, < 7.1.6fixed 7.1.6
Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message.
- affected >= 6.0.0, < 7.1.6fixed 7.1.6
Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file.
- affected >= 6.0.0, < 7.1.6fixed 7.1.6
When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients.
Page 2 of 3