VYPR

Go modules package

github.com/mattermost/mattermost-server

pkg:golang/github.com/mattermost/mattermost-server

Vulnerabilities (161)

  • CVE-2025-32093Apr 14, 2025
    affected >= 10.5.0, < 10.5.2fixed 10.5.2

    Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to restrict certain operations on system admins to only other system admins, which allows delegated granular administration users with the "Edit Other Users" permission to perform unauthorized modificat

  • CVE-2025-27933Mar 21, 2025
    affected < 9.11.9fixed 9.11.9

    Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to fail to enforce channel conversion restrictions, which allows members with permission to convert public channels to private ones to also convert private ones to public

  • CVE-2025-1472Mar 19, 2025
    affected >= 9.11.0, < 9.11.9fixed 9.11.9

    Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics.

  • CVE-2024-39837Aug 1, 2024
    affected >= 9.9.0, < 9.9.1fixed 9.9.1

    Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly restrict channel creation which allows a malicious remote to create arbitrary channels, when shared channels were enabled.

  • CVE-2024-4198Apr 26, 2024
    affected >= 9.6.0-rc1, < 9.6.1fixed 9.6.1

    Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes which allows an attacker authenticated as team admin to demote users to guest via crafted HTTP requests.

  • CVE-2024-4195Apr 26, 2024
    affected >= 9.5.0, < 9.5.3fixed 9.5.3

    Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes, which allows an attacker authenticated as a team admin to promote guests to team admins via crafted HTTP requests.

  • CVE-2024-4183Apr 26, 2024
    affected >= 9.6.0-rc1, < 9.6.1fixed 9.6.1

    Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active sessions, which allows an authenticated attacker to crash the server via repeated requests to the getSessions API after flooding the sessions tab

  • CVE-2024-4182Apr 26, 2024
    affected >= 8.1.0, < 8.1.12fixed 8.1.12

    Mattermost versions 9.6.0, 9.5.x before 9.5.3, 9.4.x before 9.4.5, and 8.1.x before 8.1.12 fail to handle JSON parsing errors in custom status values, which allows an authenticated attacker to crash other users' web clients via a malformed custom status.

  • CVE-2024-32046Apr 26, 2024
    affected >= 8.1.0, < 8.1.12fixed 8.1.12

    Mattermost versions 9.6.x <= 9.6.0, 9.5.x <= 9.5.2, 9.4.x <= 9.4.4 and 8.1.x <= 8.1.11 fail to remove detailed error messages in API requests even if the developer mode is off which allows an attacker to get information about the server such as the full path were files are stored

  • CVE-2024-22091Apr 26, 2024
    affected >= 8.1.0, < 8.1.12fixed 8.1.12

    Mattermost versions 8.1.x <= 8.1.10, 9.6.x <= 9.6.0, 9.5.x <= 9.5.2 and 8.1.x <= 8.1.11 fail to limit the size of a request path that includes user inputs which allows an attacker to cause excessive resource consumption, possibly leading to a DoS via sending large request paths

  • CVE-2024-28053Mar 15, 2024
    affected < 0.0.0-20240209181221-674f549daf0efixed 0.0.0-20240209181221-674f549daf0e

    Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit the size of the payload that can be read and parsed allowing an attacker to send a very large email payload and crash the server.

  • CVE-2023-5968MedNov 6, 2023
    affected < 5.3.2-0.20230825233148-f787fd63368afixed 5.3.2-0.20230825233148-f787fd63368a

    Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body. 

  • CVE-2023-1777MedMar 31, 2023
    affected >= 7.8.0, < 7.8.1fixed 7.8.1

    Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message.

  • CVE-2023-1776HigMar 31, 2023
    affected >= 7.7.0, < 7.7.2fixed 7.7.2

    Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file.

  • CVE-2023-1775MedMar 31, 2023
    affected >= 3.3.0, < 7.1.6fixed 7.1.6

    When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients.

  • CVE-2023-1774MedMar 31, 2023
    affected >= 3.3.0, < 7.1.6fixed 7.1.6

    When processing an email invite to a private channel on a team, Mattermost fails to validate the inviter's permission to that channel, allowing an attacker to invite themselves to a private channel.

  • CVE-2022-4045LowNov 23, 2022
    affected < 7.1.4fixed 7.1.4

    A denial-of-service vulnerability in the Mattermost allows an authenticated user to crash the server via multiple requests to one of the API endpoints which could fetch a large amount of data. 

  • CVE-2022-4044MedNov 23, 2022
    affected < 7.1.4fixed 7.1.4

    A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large autoresponder messages.

  • CVE-2022-1982MedJun 2, 2022
    affected >= 6.6.0, < 6.6.1fixed 6.6.1

    Uncontrolled resource consumption in Mattermost version 6.6.0 and earlier allows an authenticated attacker to crash the server via a crafted SVG attachment on a post.

  • CVE-2017-18918MedJun 19, 2020
    affected < 3.6.5fixed 3.6.5

    An issue was discovered in Mattermost Server before 3.7.3 and 3.6.5. A System Administrator can place a SAML certificate at an arbitrary pathname.

Page 5 of 9