Go modules package
github.com/mattermost/mattermost-server
pkg:golang/github.com/mattermost/mattermost-server
Vulnerabilities (161)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2017-18917 | Hig | 7.5 | < 3.7.5-0.20170421192444-247cd1e51a8c | 3.7.5-0.20170421192444-247cd1e51a8c | Jun 19, 2020 | An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. Weak hashing was used for e-mail invitations, OAuth, and e-mail verification tokens. | |
| CVE-2017-18916 | Med | 5.3 | < 3.6.7-0.20170420152529-0968e4079e0a | 3.6.7-0.20170420152529-0968e4079e0a | Jun 19, 2020 | An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. API endpoint access control does not honor an integration permission restriction. | |
| CVE-2017-18915 | Cri | 9.8 | < 3.6.7-0.20170420152529-0968e4079e0a | 3.6.7-0.20170420152529-0968e4079e0a | Jun 19, 2020 | An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. After a restart of a server, an attacker might suddenly gain API Endpoint access. | |
| CVE-2017-18908 | Cri | 9.8 | < 3.9.1-rc1 | 3.9.1-rc1 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. A password-reset request was sometime sent to an attacker-provided e-mail address. | |
| CVE-2017-18907 | Med | 6.1 | < 3.9.2-0.20170714014920-312269ad0bd1 | 3.9.2-0.20170714014920-312269ad0bd1 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. XSS could occur via a channel header. | |
| CVE-2017-18906 | Hig | 8.1 | < 3.9.2-0.20170714134023-b17fca0d5ee7 | 3.9.2-0.20170714134023-b17fca0d5ee7 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when Single Sign-On OAuth2 is used. An attacker could claim somebody else's account. | |
| CVE-2017-18905 | Med | 5.3 | < 3.9.2 | 3.9.2 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth 2.0 service provider, Session invalidation was mishandled. | |
| CVE-2016-11084 | Med | 6.1 | < 2.1.0 | 2.1.0 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 2.1.0. It allows XSS via CSRF. | |
| CVE-2016-11083 | Med | 6.1 | < 2.2.0 | 2.2.0 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 2.2.0. It allows XSS because it configures files to be opened in a browser window. | |
| CVE-2016-11082 | Med | 6.1 | < 2.2.0 | 2.2.0 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 2.2.0. It allows XSS via a crafted link. | |
| CVE-2016-11081 | Med | 4.3 | < 2.2.0 | 2.2.0 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 2.2.0. It allows unintended access to information stored by a web browser. | |
| CVE-2016-11080 | Med | 4.3 | < 3.0.0 | 3.0.0 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 3.0.0. It offers superfluous APIs for a Team Administrator to view account details. | |
| CVE-2016-11079 | Med | 6.1 | < 3.0.0 | 3.0.0 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a redirect URL. | |
| CVE-2016-11078 | Med | 6.5 | < 3.0.0 | 3.0.0 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 3.0.0. It potentially allows attackers to obtain sensitive information (credential fields within config.json) via the System Console UI. | |
| CVE-2016-11077 | Low | 2.7 | < 3.0.0 | 3.0.0 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 3.0.0. It has a superfluous API in which the System Admin can change the account name and e-mail address of an LDAP account. | |
| CVE-2016-11076 | Med | 5.3 | < 3.0.0 | 3.0.0 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 3.0.0. It does not ensure that a cookie is used over SSL. | |
| CVE-2016-11075 | Med | 5.3 | < 2.0.1-0.20160310160916-26ad6d2c7696 | 2.0.1-0.20160310160916-26ad6d2c7696 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 3.0.0. It allows attackers to obtain sensitive information about team URLs via an API. | |
| CVE-2016-11074 | Cri | 9.8 | < 3.0.0 | 3.0.0 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 3.0.0. A password-reset link could be reused. | |
| CVE-2016-11073 | Med | 6.1 | < 3.0.0 | 3.0.0 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a Legal or Support setting. | |
| CVE-2016-11072 | Med | 6.5 | < 3.0.2 | 3.0.2 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 3.0.2. The purposes of a session ID and a Session Token were mishandled. |
- affected < 3.7.5-0.20170421192444-247cd1e51a8cfixed 3.7.5-0.20170421192444-247cd1e51a8c
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. Weak hashing was used for e-mail invitations, OAuth, and e-mail verification tokens.
- affected < 3.6.7-0.20170420152529-0968e4079e0afixed 3.6.7-0.20170420152529-0968e4079e0a
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. API endpoint access control does not honor an integration permission restriction.
- affected < 3.6.7-0.20170420152529-0968e4079e0afixed 3.6.7-0.20170420152529-0968e4079e0a
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. After a restart of a server, an attacker might suddenly gain API Endpoint access.
- affected < 3.9.1-rc1fixed 3.9.1-rc1
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. A password-reset request was sometime sent to an attacker-provided e-mail address.
- affected < 3.9.2-0.20170714014920-312269ad0bd1fixed 3.9.2-0.20170714014920-312269ad0bd1
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. XSS could occur via a channel header.
- affected < 3.9.2-0.20170714134023-b17fca0d5ee7fixed 3.9.2-0.20170714134023-b17fca0d5ee7
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when Single Sign-On OAuth2 is used. An attacker could claim somebody else's account.
- affected < 3.9.2fixed 3.9.2
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth 2.0 service provider, Session invalidation was mishandled.
- affected < 2.1.0fixed 2.1.0
An issue was discovered in Mattermost Server before 2.1.0. It allows XSS via CSRF.
- affected < 2.2.0fixed 2.2.0
An issue was discovered in Mattermost Server before 2.2.0. It allows XSS because it configures files to be opened in a browser window.
- affected < 2.2.0fixed 2.2.0
An issue was discovered in Mattermost Server before 2.2.0. It allows XSS via a crafted link.
- affected < 2.2.0fixed 2.2.0
An issue was discovered in Mattermost Server before 2.2.0. It allows unintended access to information stored by a web browser.
- affected < 3.0.0fixed 3.0.0
An issue was discovered in Mattermost Server before 3.0.0. It offers superfluous APIs for a Team Administrator to view account details.
- affected < 3.0.0fixed 3.0.0
An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a redirect URL.
- affected < 3.0.0fixed 3.0.0
An issue was discovered in Mattermost Server before 3.0.0. It potentially allows attackers to obtain sensitive information (credential fields within config.json) via the System Console UI.
- affected < 3.0.0fixed 3.0.0
An issue was discovered in Mattermost Server before 3.0.0. It has a superfluous API in which the System Admin can change the account name and e-mail address of an LDAP account.
- affected < 3.0.0fixed 3.0.0
An issue was discovered in Mattermost Server before 3.0.0. It does not ensure that a cookie is used over SSL.
- affected < 2.0.1-0.20160310160916-26ad6d2c7696fixed 2.0.1-0.20160310160916-26ad6d2c7696
An issue was discovered in Mattermost Server before 3.0.0. It allows attackers to obtain sensitive information about team URLs via an API.
- affected < 3.0.0fixed 3.0.0
An issue was discovered in Mattermost Server before 3.0.0. A password-reset link could be reused.
- affected < 3.0.0fixed 3.0.0
An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a Legal or Support setting.
- affected < 3.0.2fixed 3.0.2
An issue was discovered in Mattermost Server before 3.0.2. The purposes of a session ID and a Session Token were mishandled.
Page 6 of 9