Go modules package
github.com/mattermost/mattermost-server
pkg:golang/github.com/mattermost/mattermost-server
Vulnerabilities (161)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2016-11071 | Med | 6.1 | < 3.1.0 | 3.1.0 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 3.1.0. It allows XSS because the noreferrer and noopener protection mechanisms were not in place. | |
| CVE-2016-11070 | Med | 5.4 | < 3.1.0 | 3.1.0 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 3.1.0. It allows XSS via theme color-code values. | |
| CVE-2016-11069 | Hig | 7.5 | < 3.2.0 | 3.2.0 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 3.2.0. It mishandles brute-force attempts at password change. | |
| CVE-2016-11068 | Med | 5.3 | < 3.2.0 | 3.2.0 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 3.2.0. Attackers could read LDAP fields via injection. | |
| CVE-2016-11067 | Med | 5.3 | < 3.2.0 | 3.2.0 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 3.2.0. It allowed crafted posts that could cause a web browser to hang. | |
| CVE-2016-11066 | Hig | 7.5 | < 3.1.1 | 3.1.1 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 3.2.0. The initial_load API disclosed unnecessary personal information. | |
| CVE-2016-11063 | Med | 6.1 | < 3.5.1 | 3.5.1 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 3.5.1. XSS can occur via file preview. | |
| CVE-2017-18912 | Cri | 9.8 | < 3.7.4-0.20170404171331-0b5c0794fdcb | 3.7.4-0.20170404171331-0b5c0794fdcb | Jun 19, 2020 | An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. It allows an attacker to specify a full pathname of a log file. | |
| CVE-2017-18911 | Cri | 9.1 | < 3.6.7-rc1 | 3.6.7-rc1 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. The X.509 certificate validation can be skipped for a TLS-based e-mail server. | |
| CVE-2017-18909 | Hig | 7.5 | < 3.8.1-0.20170504181128-4f074fed0d65 | 3.8.1-0.20170504181128-4f074fed0d65 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 3.9.0 when SAML is used. Encryption and signature verification are not mandatory. | |
| CVE-2017-18904 | Med | 6.1 | < 3.9.2 | 3.9.2 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. It allows XSS via an uploaded file. | |
| CVE-2017-18903 | Hig | 8.8 | < 3.9.2 | 3.9.2 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. CSRF can occur if CORS is enabled. | |
| CVE-2017-18902 | Med | 5.3 | < 3.10.3 | 3.10.3 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints. | |
| CVE-2017-18901 | Med | 5.3 | < 3.10.3 | 3.10.3 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover a team invite ID by requesting a JSON document. | |
| CVE-2017-18900 | Cri | 9.8 | < 3.10.3 | 3.10.3 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows CSV injection via a compliance report. | |
| CVE-2017-18898 | Med | 5.3 | < 4.0.5 | 4.0.5 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows crafted posts that potentially cause a web browser to hang. | |
| CVE-2017-18897 | Med | 6.1 | < 4.0.5 | 4.0.5 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. It mishandles a deny action for a redirection. | |
| CVE-2017-18896 | Med | 5.3 | >= 4.1.0, < 4.1.1 | 4.1.1 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to add DEBUG lines to the logs via a REST API version 3 logging endpoint. | |
| CVE-2017-18895 | Med | 5.3 | < 4.0.5 | 4.0.5 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to obtain sensitive information (user statuses) via a REST API version 4 endpoint. | |
| CVE-2017-18894 | Hig | 8.1 | < 4.0.5 | 4.0.5 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. Sometimes. resource-owner authorization is bypassed, allowing account takeover. |
- affected < 3.1.0fixed 3.1.0
An issue was discovered in Mattermost Server before 3.1.0. It allows XSS because the noreferrer and noopener protection mechanisms were not in place.
- affected < 3.1.0fixed 3.1.0
An issue was discovered in Mattermost Server before 3.1.0. It allows XSS via theme color-code values.
- affected < 3.2.0fixed 3.2.0
An issue was discovered in Mattermost Server before 3.2.0. It mishandles brute-force attempts at password change.
- affected < 3.2.0fixed 3.2.0
An issue was discovered in Mattermost Server before 3.2.0. Attackers could read LDAP fields via injection.
- affected < 3.2.0fixed 3.2.0
An issue was discovered in Mattermost Server before 3.2.0. It allowed crafted posts that could cause a web browser to hang.
- affected < 3.1.1fixed 3.1.1
An issue was discovered in Mattermost Server before 3.2.0. The initial_load API disclosed unnecessary personal information.
- affected < 3.5.1fixed 3.5.1
An issue was discovered in Mattermost Server before 3.5.1. XSS can occur via file preview.
- affected < 3.7.4-0.20170404171331-0b5c0794fdcbfixed 3.7.4-0.20170404171331-0b5c0794fdcb
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. It allows an attacker to specify a full pathname of a log file.
- affected < 3.6.7-rc1fixed 3.6.7-rc1
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. The X.509 certificate validation can be skipped for a TLS-based e-mail server.
- affected < 3.8.1-0.20170504181128-4f074fed0d65fixed 3.8.1-0.20170504181128-4f074fed0d65
An issue was discovered in Mattermost Server before 3.9.0 when SAML is used. Encryption and signature verification are not mandatory.
- affected < 3.9.2fixed 3.9.2
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. It allows XSS via an uploaded file.
- affected < 3.9.2fixed 3.9.2
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. CSRF can occur if CORS is enabled.
- affected < 3.10.3fixed 3.10.3
An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints.
- affected < 3.10.3fixed 3.10.3
An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover a team invite ID by requesting a JSON document.
- affected < 3.10.3fixed 3.10.3
An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows CSV injection via a compliance report.
- affected < 4.0.5fixed 4.0.5
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows crafted posts that potentially cause a web browser to hang.
- affected < 4.0.5fixed 4.0.5
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. It mishandles a deny action for a redirection.
- affected >= 4.1.0, < 4.1.1fixed 4.1.1
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to add DEBUG lines to the logs via a REST API version 3 logging endpoint.
- affected < 4.0.5fixed 4.0.5
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to obtain sensitive information (user statuses) via a REST API version 4 endpoint.
- affected < 4.0.5fixed 4.0.5
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. Sometimes. resource-owner authorization is bypassed, allowing account takeover.
Page 7 of 9