VYPR

Go modules package

github.com/mattermost/mattermost-server

pkg:golang/github.com/mattermost/mattermost-server

Vulnerabilities (161)

  • CVE-2016-11071MedJun 19, 2020
    affected < 3.1.0fixed 3.1.0

    An issue was discovered in Mattermost Server before 3.1.0. It allows XSS because the noreferrer and noopener protection mechanisms were not in place.

  • CVE-2016-11070MedJun 19, 2020
    affected < 3.1.0fixed 3.1.0

    An issue was discovered in Mattermost Server before 3.1.0. It allows XSS via theme color-code values.

  • CVE-2016-11069HigJun 19, 2020
    affected < 3.2.0fixed 3.2.0

    An issue was discovered in Mattermost Server before 3.2.0. It mishandles brute-force attempts at password change.

  • CVE-2016-11068MedJun 19, 2020
    affected < 3.2.0fixed 3.2.0

    An issue was discovered in Mattermost Server before 3.2.0. Attackers could read LDAP fields via injection.

  • CVE-2016-11067MedJun 19, 2020
    affected < 3.2.0fixed 3.2.0

    An issue was discovered in Mattermost Server before 3.2.0. It allowed crafted posts that could cause a web browser to hang.

  • CVE-2016-11066HigJun 19, 2020
    affected < 3.1.1fixed 3.1.1

    An issue was discovered in Mattermost Server before 3.2.0. The initial_load API disclosed unnecessary personal information.

  • CVE-2016-11063MedJun 19, 2020
    affected < 3.5.1fixed 3.5.1

    An issue was discovered in Mattermost Server before 3.5.1. XSS can occur via file preview.

  • CVE-2017-18912CriJun 19, 2020
    affected < 3.7.4-0.20170404171331-0b5c0794fdcbfixed 3.7.4-0.20170404171331-0b5c0794fdcb

    An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. It allows an attacker to specify a full pathname of a log file.

  • CVE-2017-18911CriJun 19, 2020
    affected < 3.6.7-rc1fixed 3.6.7-rc1

    An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. The X.509 certificate validation can be skipped for a TLS-based e-mail server.

  • CVE-2017-18909HigJun 19, 2020
    affected < 3.8.1-0.20170504181128-4f074fed0d65fixed 3.8.1-0.20170504181128-4f074fed0d65

    An issue was discovered in Mattermost Server before 3.9.0 when SAML is used. Encryption and signature verification are not mandatory.

  • CVE-2017-18904MedJun 19, 2020
    affected < 3.9.2fixed 3.9.2

    An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. It allows XSS via an uploaded file.

  • CVE-2017-18903HigJun 19, 2020
    affected < 3.9.2fixed 3.9.2

    An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. CSRF can occur if CORS is enabled.

  • CVE-2017-18902MedJun 19, 2020
    affected < 3.10.3fixed 3.10.3

    An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints.

  • CVE-2017-18901MedJun 19, 2020
    affected < 3.10.3fixed 3.10.3

    An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover a team invite ID by requesting a JSON document.

  • CVE-2017-18900CriJun 19, 2020
    affected < 3.10.3fixed 3.10.3

    An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows CSV injection via a compliance report.

  • CVE-2017-18898MedJun 19, 2020
    affected < 4.0.5fixed 4.0.5

    An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows crafted posts that potentially cause a web browser to hang.

  • CVE-2017-18897MedJun 19, 2020
    affected < 4.0.5fixed 4.0.5

    An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. It mishandles a deny action for a redirection.

  • CVE-2017-18896MedJun 19, 2020
    affected >= 4.1.0, < 4.1.1fixed 4.1.1

    An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to add DEBUG lines to the logs via a REST API version 3 logging endpoint.

  • CVE-2017-18895MedJun 19, 2020
    affected < 4.0.5fixed 4.0.5

    An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to obtain sensitive information (user statuses) via a REST API version 4 endpoint.

  • CVE-2017-18894HigJun 19, 2020
    affected < 4.0.5fixed 4.0.5

    An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. Sometimes. resource-owner authorization is bypassed, allowing account takeover.

Page 7 of 9