Go modules package

github.com/mattermost/mattermost-server/v6

pkg:golang/github.com/mattermost/mattermost-server/v6

Vulnerabilities (47)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2023-48268	—	< 7.8.13	7.8.13	Nov 27, 2023	Mattermost fails to limit the amount of data extracted from compressed archives during board import in Mattermost Boards allowing an attacker to consume excessive resources, possibly leading to Denial of Service, by importing a board using a specially crafted zip (zip bomb).
CVE-2023-45223	—	< 7.8.13	7.8.13	Nov 27, 2023	Mattermost fails to properly validate the "Show Full Name" option in a few endpoints in Mattermost Boards, allowing a member to get the full name of another user even if the Show Full Name option was disabled.
CVE-2023-47865	—	< 7.8.13	7.8.13	Nov 27, 2023	Mattermost fails to check if hardened mode is enabled when overriding the username and/or the icon when posting a post. If settings allowed integrations to override the username and profile picture when posting, a member could also override the username and icon when making a pos
CVE-2023-5969	—	< 7.8.12	7.8.12	Nov 6, 2023	Mattermost fails to properly sanitize the request to /api/v4/redirect_location allowing an attacker, sending a specially crafted request to /api/v4/redirect_location, to fill up the memory due to caching large items.
CVE-2023-5968	—	>= 5.4.0-rc1, < 7.8.12	7.8.12	Nov 6, 2023	Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body.
CVE-2023-5967	—	< 7.8.12	7.8.12	Nov 6, 2023	Mattermost fails to properly validate requests to the Calls plugin, allowing an attacker sending a request without a User Agent header to cause a panic and crash the Calls plugin
CVE-2023-5194	—	< 7.8.10	7.8.10	Sep 29, 2023	Mattermost fails to properly validate permissions when demoting and deactivating a user allowing for a system/user manager to demote / deactivate another manager
CVE-2023-5195	—	< 7.8.10	7.8.10	Sep 29, 2023	Mattermost fails to properly validate the permissions when soft deleting a team allowing a team member to soft delete other teams that they are not part of
CVE-2023-5193	—	< 7.8.10	7.8.10	Sep 29, 2023	Mattermost fails to properly check permissions when retrieving a post allowing for a System Role with the permission to manage channels to read the posts of a DM conversation.
CVE-2023-5196	—	< 7.8.10	7.8.10	Sep 29, 2023	Mattermost fails to enforce character limits in all possible notification props allowing an attacker to send a really long value for a notification_prop resulting in the server consuming an abnormal quantity of computing resources and possibly becoming temporarily unavailable for
CVE-2023-5159	—	< 7.8.10	7.8.10	Sep 29, 2023	Mattermost fails to properly verify the permissions when managing/updating a bot allowing a User Manager role with user edit permissions to manage/update bots.
CVE-2023-4108	—	< 7.8.8	7.8.8	Aug 11, 2023	Mattermost fails to sanitize post metadata during audit logging resulting in permalinks contents being logged
CVE-2023-4107	—	< 7.8.8	7.8.8	Aug 11, 2023	Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin's details such as email, first name and last name.
CVE-2023-4106	—	>= 7.9.0, < 7.9.6	7.9.6	Aug 11, 2023	Mattermost fails to check if the requesting user is a guest before performing different actions to public playbooks, resulting a guest being able to view, join, edit, export and archive public playbooks.
CVE-2023-4105	—	>= 7.9.0, < 7.9.6	7.9.6	Aug 11, 2023	Mattermost fails to delete the attachments when deleting a message in a thread allowing a simple user to still be able to access and download the attachment of a deleted message
CVE-2023-2783	—	>= 7.10.0, < 7.10.1	7.10.1	Jun 16, 2023	Mattermost Apps Framework fails to verify that a secret provided in the incoming webhook request allowing an attacker to modify the contents of the post sent by the Apps.
CVE-2023-2515	—	< 7.1.8	7.1.8	May 12, 2023	Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin
CVE-2023-1777	—	>= 6.3.0, < 7.1.6	7.1.6	Mar 31, 2023	Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message.
CVE-2023-1776	—	>= 6.0.0, < 7.1.6	7.1.6	Mar 31, 2023	Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file.
CVE-2023-1775	—	>= 6.0.0, < 7.1.6	7.1.6	Mar 31, 2023	When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients.

CVE-2023-48268Nov 27, 2023
affected < 7.8.13fixed 7.8.13
Mattermost fails to limit the amount of data extracted from compressed archives during board import in Mattermost Boards allowing an attacker to consume excessive resources, possibly leading to Denial of Service, by importing a board using a specially crafted zip (zip bomb).
CVE-2023-45223Nov 27, 2023
affected < 7.8.13fixed 7.8.13
Mattermost fails to properly validate the "Show Full Name" option in a few endpoints in Mattermost Boards, allowing a member to get the full name of another user even if the Show Full Name option was disabled.
CVE-2023-47865Nov 27, 2023
affected < 7.8.13fixed 7.8.13
Mattermost fails to check if hardened mode is enabled when overriding the username and/or the icon when posting a post. If settings allowed integrations to override the username and profile picture when posting, a member could also override the username and icon when making a pos
CVE-2023-5969Nov 6, 2023
affected < 7.8.12fixed 7.8.12
Mattermost fails to properly sanitize the request to /api/v4/redirect_location allowing an attacker, sending a specially crafted request to /api/v4/redirect_location, to fill up the memory due to caching large items.
CVE-2023-5968Nov 6, 2023
affected >= 5.4.0-rc1, < 7.8.12fixed 7.8.12
Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body.
CVE-2023-5967Nov 6, 2023
affected < 7.8.12fixed 7.8.12
Mattermost fails to properly validate requests to the Calls plugin, allowing an attacker sending a request without a User Agent header to cause a panic and crash the Calls plugin
CVE-2023-5194Sep 29, 2023
affected < 7.8.10fixed 7.8.10
Mattermost fails to properly validate permissions when demoting and deactivating a user allowing for a system/user manager to demote / deactivate another manager
CVE-2023-5195Sep 29, 2023
affected < 7.8.10fixed 7.8.10
Mattermost fails to properly validate the permissions when soft deleting a team allowing a team member to soft delete other teams that they are not part of
CVE-2023-5193Sep 29, 2023
affected < 7.8.10fixed 7.8.10
Mattermost fails to properly check permissions when retrieving a post allowing for a System Role with the permission to manage channels to read the posts of a DM conversation.
CVE-2023-5196Sep 29, 2023
affected < 7.8.10fixed 7.8.10
Mattermost fails to enforce character limits in all possible notification props allowing an attacker to send a really long value for a notification_prop resulting in the server consuming an abnormal quantity of computing resources and possibly becoming temporarily unavailable for
CVE-2023-5159Sep 29, 2023
affected < 7.8.10fixed 7.8.10
Mattermost fails to properly verify the permissions when managing/updating a bot allowing a User Manager role with user edit permissions to manage/update bots.
CVE-2023-4108Aug 11, 2023
affected < 7.8.8fixed 7.8.8
Mattermost fails to sanitize post metadata during audit logging resulting in permalinks contents being logged
CVE-2023-4107Aug 11, 2023
affected < 7.8.8fixed 7.8.8
Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin's details such as email, first name and last name.
CVE-2023-4106Aug 11, 2023
affected >= 7.9.0, < 7.9.6fixed 7.9.6
Mattermost fails to check if the requesting user is a guest before performing different actions to public playbooks, resulting a guest being able to view, join, edit, export and archive public playbooks.
CVE-2023-4105Aug 11, 2023
affected >= 7.9.0, < 7.9.6fixed 7.9.6
Mattermost fails to delete the attachments when deleting a message in a thread allowing a simple user to still be able to access and download the attachment of a deleted message
CVE-2023-2783Jun 16, 2023
affected >= 7.10.0, < 7.10.1fixed 7.10.1
Mattermost Apps Framework fails to verify that a secret provided in the incoming webhook request allowing an attacker to modify the contents of the post sent by the Apps.
CVE-2023-2515May 12, 2023
affected < 7.1.8fixed 7.1.8
Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin
CVE-2023-1777Mar 31, 2023
affected >= 6.3.0, < 7.1.6fixed 7.1.6
Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message.
CVE-2023-1776Mar 31, 2023
affected >= 6.0.0, < 7.1.6fixed 7.1.6
Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file.
CVE-2023-1775Mar 31, 2023
affected >= 6.0.0, < 7.1.6fixed 7.1.6
When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients.

Page 2 of 3