VYPR

Mattermost

by Mattermost

Source repositories

CVEs (476)

  • CVE-2024-39777Aug 1, 2024
    risk 0.00cvss epss 0.00

    Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invites to expose access to local channels, when shared channels are enabled, which allows a malicious remote to send an invite with the ID of an existing local…

  • CVE-2024-39274Aug 1, 2024
    risk 0.00cvss epss 0.00

    Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to properly validate that the channel that comes from the sync message is a shared channel, when shared channels are enabled, which allows a malicious remote to add users to arbitrary…

  • CVE-2024-36492Aug 1, 2024
    risk 0.00cvss epss 0.00

    Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow the modification of local users when syncing users in shared channels. which allows a malicious remote to overwrite an existing local user.

  • CVE-2024-29977Aug 1, 2024
    risk 0.00cvss epss 0.00

    Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly validate synced reactions, when shared channels are enabled, which allows a malicious remote to create arbitrary reactions on arbitrary posts

  • CVE-2024-39767Jul 15, 2024
    risk 0.00cvss epss 0.00

    Mattermost Mobile Apps versions <=2.16.0 fail to validate that the push notifications received for a server actually came from this serve that which allows a malicious server to send push notifications with another server’s diagnostic ID or server URL and have them show up in…

  • CVE-2024-32945Jul 15, 2024
    risk 0.00cvss epss 0.00

    Mattermost Mobile Apps versions <=2.16.0 fail to protect against abuse of a globally shared MathJax state which allows an attacker to change the contents of a LateX post, by creating another post with specific macro definitions.

  • CVE-2024-6428Jul 3, 2024
    risk 0.00cvss epss 0.00

    Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2, 9.5.x <= 9.5.5 fail to prevent specifying a RemoteId when creating a new user which allows an attacker to specify both a remoteId and the user ID, resulting in creating a user with a user-defined user ID. This can cause…

  • CVE-2024-39353Jul 3, 2024
    risk 0.00cvss epss 0.00

    Mattermost versions 9.5.x <= 9.5.5 and 9.8.0 fail to sanitize the RemoteClusterFrame payloads before audit logging them which allows a high privileged attacker with access to the audit logs to read message contents.

  • CVE-2024-39361Jul 3, 2024
    risk 0.00cvss epss 0.00

    Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and 9.5.x <= 9.5.5 fail to prevent users from specifying a RemoteId for their posts which allows an attacker to specify both a remoteId and the post ID, resulting in creating a post with a user-defined post ID. This can…

  • CVE-2024-39830Jul 3, 2024
    risk 0.00cvss epss 0.00

    Mattermost versions 9.8.x <= 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and 9.5.x <= 9.5.5, when shared channels are enabled, fail to use constant time comparison for remote cluster tokens which allows an attacker to retrieve the remote cluster token via a timing attack during remote…

  • CVE-2024-39807Jul 3, 2024
    risk 0.00cvss epss 0.00

    Mattermost versions 9.5.x <= 9.5.5 and 9.8.0 fail to properly sanitize the recipients of a webhook event which allows an attacker monitoring webhook events to retrieve the channel IDs of archived or restored channels.

  • CVE-2024-36257Jul 3, 2024
    risk 0.00cvss epss 0.00

    Mattermost versions 9.5.x <= 9.5.5 and 9.8.0, when using shared channels with multiple remote servers connected, fail to check that the remote server A requesting the server B to update the profile picture of a user is the remote that actually has the user as a local one…

  • CVE-2024-37182Jun 14, 2024
    risk 0.00cvss epss 0.00

    Mattermost Desktop App versions <=5.7.0 fail to correctly prompt for permission when opening external URLs which allows a remote attacker to force a victim over the Internet to run arbitrary programs on the victim's system via custom URI schemes.

  • CVE-2024-36287Jun 14, 2024
    risk 0.00cvss epss 0.00

    Mattermost Desktop App versions <=5.7.0 fail to disable certain Electron debug flags which allows for bypassing TCC restrictions on macOS.

  • CVE-2024-29215May 26, 2024
    risk 0.00cvss epss 0.00

    Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to enforce proper access control which allows a user to run a slash command in a channel they are not a member of via linking a playbook run to that channel and running a slash command as a…

  • CVE-2024-36255May 26, 2024
    risk 0.00cvss epss 0.00

    Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper input validation on post actions which allows an attacker to run a playbook checklist task command as another user via creating and sharing a deceptive post action that unexpectedly…

  • CVE-2024-36241May 26, 2024
    risk 0.00cvss epss 0.00

    Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to enforce proper access controls which allows user to view arbitrary post contents via the /playbook add slash command

  • CVE-2024-31859May 26, 2024
    risk 0.00cvss epss 0.00

    Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper authorization checks which allows a member running a playbook in an existing channel to be promoted to a channel admin

  • CVE-2024-5270May 26, 2024
    risk 0.00cvss epss 0.00

    Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to check if the email signup configuration option is enabled when a user requests to switch from SAML to Email. This allows the user to switch their authentication mail from SAML to email…

  • CVE-2024-5272May 26, 2024
    risk 0.00cvss epss 0.00

    Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to restrict the audience of the "custom_playbooks_playbook_run_updated" webhook event, which allows a guest on a channel with a playbook run linked to see all the details of the playbook run when the run…

Page 13 of 24