Go modules package
github.com/mattermost/mattermost-server
pkg:golang/github.com/mattermost/mattermost-server
Vulnerabilities (161)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-32093 | — | >= 10.5.0, < 10.5.2 | 10.5.2 | Apr 14, 2025 | Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to restrict certain operations on system admins to only other system admins, which allows delegated granular administration users with the "Edit Other Users" permission to perform unauthorized modificat | ||
| CVE-2025-27933 | — | < 9.11.9 | 9.11.9 | Mar 21, 2025 | Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to fail to enforce channel conversion restrictions, which allows members with permission to convert public channels to private ones to also convert private ones to public | ||
| CVE-2025-1472 | — | >= 9.11.0, < 9.11.9 | 9.11.9 | Mar 19, 2025 | Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics. | ||
| CVE-2024-39837 | — | >= 9.9.0, < 9.9.1 | 9.9.1 | Aug 1, 2024 | Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly restrict channel creation which allows a malicious remote to create arbitrary channels, when shared channels were enabled. | ||
| CVE-2024-4198 | — | >= 9.6.0-rc1, < 9.6.1 | 9.6.1 | Apr 26, 2024 | Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes which allows an attacker authenticated as team admin to demote users to guest via crafted HTTP requests. | ||
| CVE-2024-4195 | — | >= 9.5.0, < 9.5.3 | 9.5.3 | Apr 26, 2024 | Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes, which allows an attacker authenticated as a team admin to promote guests to team admins via crafted HTTP requests. | ||
| CVE-2024-4183 | — | >= 9.6.0-rc1, < 9.6.1 | 9.6.1 | Apr 26, 2024 | Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active sessions, which allows an authenticated attacker to crash the server via repeated requests to the getSessions API after flooding the sessions tab | ||
| CVE-2024-4182 | — | >= 8.1.0, < 8.1.12 | 8.1.12 | Apr 26, 2024 | Mattermost versions 9.6.0, 9.5.x before 9.5.3, 9.4.x before 9.4.5, and 8.1.x before 8.1.12 fail to handle JSON parsing errors in custom status values, which allows an authenticated attacker to crash other users' web clients via a malformed custom status. | ||
| CVE-2024-32046 | — | >= 8.1.0, < 8.1.12 | 8.1.12 | Apr 26, 2024 | Mattermost versions 9.6.x <= 9.6.0, 9.5.x <= 9.5.2, 9.4.x <= 9.4.4 and 8.1.x <= 8.1.11 fail to remove detailed error messages in API requests even if the developer mode is off which allows an attacker to get information about the server such as the full path were files are stored | ||
| CVE-2024-22091 | — | >= 8.1.0, < 8.1.12 | 8.1.12 | Apr 26, 2024 | Mattermost versions 8.1.x <= 8.1.10, 9.6.x <= 9.6.0, 9.5.x <= 9.5.2 and 8.1.x <= 8.1.11 fail to limit the size of a request path that includes user inputs which allows an attacker to cause excessive resource consumption, possibly leading to a DoS via sending large request paths | ||
| CVE-2024-28053 | — | < 0.0.0-20240209181221-674f549daf0e | 0.0.0-20240209181221-674f549daf0e | Mar 15, 2024 | Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit the size of the payload that can be read and parsed allowing an attacker to send a very large email payload and crash the server. | ||
| CVE-2023-5968 | Med | 4.9 | < 5.3.2-0.20230825233148-f787fd63368a | 5.3.2-0.20230825233148-f787fd63368a | Nov 6, 2023 | Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body. | |
| CVE-2023-1777 | Med | 6.5 | >= 7.8.0, < 7.8.1 | 7.8.1 | Mar 31, 2023 | Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message. | |
| CVE-2023-1776 | Hig | 7.3 | >= 7.7.0, < 7.7.2 | 7.7.2 | Mar 31, 2023 | Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file. | |
| CVE-2023-1775 | Med | 4.3 | >= 3.3.0, < 7.1.6 | 7.1.6 | Mar 31, 2023 | When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients. | |
| CVE-2023-1774 | Med | 4.2 | >= 3.3.0, < 7.1.6 | 7.1.6 | Mar 31, 2023 | When processing an email invite to a private channel on a team, Mattermost fails to validate the inviter's permission to that channel, allowing an attacker to invite themselves to a private channel. | |
| CVE-2022-4045 | Low | 3.1 | < 7.1.4 | 7.1.4 | Nov 23, 2022 | A denial-of-service vulnerability in the Mattermost allows an authenticated user to crash the server via multiple requests to one of the API endpoints which could fetch a large amount of data. | |
| CVE-2022-4044 | Med | 4.3 | < 7.1.4 | 7.1.4 | Nov 23, 2022 | A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large autoresponder messages. | |
| CVE-2022-1982 | Med | 4.3 | >= 6.6.0, < 6.6.1 | 6.6.1 | Jun 2, 2022 | Uncontrolled resource consumption in Mattermost version 6.6.0 and earlier allows an authenticated attacker to crash the server via a crafted SVG attachment on a post. | |
| CVE-2017-18918 | Med | 4.9 | < 3.6.5 | 3.6.5 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 3.7.3 and 3.6.5. A System Administrator can place a SAML certificate at an arbitrary pathname. |
- CVE-2025-32093Apr 14, 2025affected >= 10.5.0, < 10.5.2fixed 10.5.2
Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to restrict certain operations on system admins to only other system admins, which allows delegated granular administration users with the "Edit Other Users" permission to perform unauthorized modificat
- CVE-2025-27933Mar 21, 2025affected < 9.11.9fixed 9.11.9
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to fail to enforce channel conversion restrictions, which allows members with permission to convert public channels to private ones to also convert private ones to public
- CVE-2025-1472Mar 19, 2025affected >= 9.11.0, < 9.11.9fixed 9.11.9
Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics.
- CVE-2024-39837Aug 1, 2024affected >= 9.9.0, < 9.9.1fixed 9.9.1
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly restrict channel creation which allows a malicious remote to create arbitrary channels, when shared channels were enabled.
- CVE-2024-4198Apr 26, 2024affected >= 9.6.0-rc1, < 9.6.1fixed 9.6.1
Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes which allows an attacker authenticated as team admin to demote users to guest via crafted HTTP requests.
- CVE-2024-4195Apr 26, 2024affected >= 9.5.0, < 9.5.3fixed 9.5.3
Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes, which allows an attacker authenticated as a team admin to promote guests to team admins via crafted HTTP requests.
- CVE-2024-4183Apr 26, 2024affected >= 9.6.0-rc1, < 9.6.1fixed 9.6.1
Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active sessions, which allows an authenticated attacker to crash the server via repeated requests to the getSessions API after flooding the sessions tab
- CVE-2024-4182Apr 26, 2024affected >= 8.1.0, < 8.1.12fixed 8.1.12
Mattermost versions 9.6.0, 9.5.x before 9.5.3, 9.4.x before 9.4.5, and 8.1.x before 8.1.12 fail to handle JSON parsing errors in custom status values, which allows an authenticated attacker to crash other users' web clients via a malformed custom status.
- CVE-2024-32046Apr 26, 2024affected >= 8.1.0, < 8.1.12fixed 8.1.12
Mattermost versions 9.6.x <= 9.6.0, 9.5.x <= 9.5.2, 9.4.x <= 9.4.4 and 8.1.x <= 8.1.11 fail to remove detailed error messages in API requests even if the developer mode is off which allows an attacker to get information about the server such as the full path were files are stored
- CVE-2024-22091Apr 26, 2024affected >= 8.1.0, < 8.1.12fixed 8.1.12
Mattermost versions 8.1.x <= 8.1.10, 9.6.x <= 9.6.0, 9.5.x <= 9.5.2 and 8.1.x <= 8.1.11 fail to limit the size of a request path that includes user inputs which allows an attacker to cause excessive resource consumption, possibly leading to a DoS via sending large request paths
- CVE-2024-28053Mar 15, 2024affected < 0.0.0-20240209181221-674f549daf0efixed 0.0.0-20240209181221-674f549daf0e
Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit the size of the payload that can be read and parsed allowing an attacker to send a very large email payload and crash the server.
- affected < 5.3.2-0.20230825233148-f787fd63368afixed 5.3.2-0.20230825233148-f787fd63368a
Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body.
- affected >= 7.8.0, < 7.8.1fixed 7.8.1
Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message.
- affected >= 7.7.0, < 7.7.2fixed 7.7.2
Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file.
- affected >= 3.3.0, < 7.1.6fixed 7.1.6
When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients.
- affected >= 3.3.0, < 7.1.6fixed 7.1.6
When processing an email invite to a private channel on a team, Mattermost fails to validate the inviter's permission to that channel, allowing an attacker to invite themselves to a private channel.
- affected < 7.1.4fixed 7.1.4
A denial-of-service vulnerability in the Mattermost allows an authenticated user to crash the server via multiple requests to one of the API endpoints which could fetch a large amount of data.
- affected < 7.1.4fixed 7.1.4
A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large autoresponder messages.
- affected >= 6.6.0, < 6.6.1fixed 6.6.1
Uncontrolled resource consumption in Mattermost version 6.6.0 and earlier allows an authenticated attacker to crash the server via a crafted SVG attachment on a post.
- affected < 3.6.5fixed 3.6.5
An issue was discovered in Mattermost Server before 3.7.3 and 3.6.5. A System Administrator can place a SAML certificate at an arbitrary pathname.
Page 5 of 9