Mattermost
by Mattermost
Source repositories
CVEs (476)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-21254 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.1. An attacker can bypass intended access control (for direct-message channel creation) via the Message slash command. | |||
| CVE-2018-21260 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 4.8.1, 4.7.4, and 4.6.3. WebSocket events were accidentally sent during certain user-management operations, violating user privacy. | |||
| CVE-2018-21251 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.2 and 5.1.1. Authorization could be bypassed if the channel name were not the same in the params and the body. | |||
| CVE-2018-21249 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.3.0. It mishandles timing. | |||
| CVE-2017-18870 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, and 4.3.4. It mishandled webhook access control in the EnableOnlyAdminIntegrations case. | |||
| CVE-2018-21259 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 4.10.1, 4.9.4, and 4.8.2. It allows attackers to cause a denial of service (application hang) via a malformed link in a channel. | |||
| CVE-2019-20889 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It mishandles permissions for user-access token creation. | |||
| CVE-2019-20888 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It allows attackers to cause a denial of service (memory consumption) via an outgoing webhook or a slash command integration. | |||
| CVE-2019-20886 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.8.0. The first user is sometimes inadvertently a system admin. | |||
| CVE-2018-21263 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. An attacker could authenticate to a different user's account via a crafted SAML response. | |||
| CVE-2018-21253 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.1, 5.0.2, and 4.10.2. An attacker could use the invite_people slash command to invite a non-permitted user. | |||
| CVE-2019-20890 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.7. It allows a bypass of e-mail address discovery restrictions. | |||
| CVE-2019-20884 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.8.0. It allows attackers to partially attach a file to more than one post. | |||
| CVE-2019-20887 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.7.1, 5.6.4, 5.5.3, and 4.10.6. It does not honor flags API permissions when deciding whether a user can receive intra-team posts. | |||
| CVE-2019-20885 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.8.0. It does not always generate a robots.txt file. | |||
| CVE-2019-20883 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.8.0, when Town Square is set to Read-Only. Users can pin or unpin a post. | |||
| CVE-2019-20882 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.8.0. It does not honor the domain requirement when processing a join request for an open team. | |||
| CVE-2019-20881 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.8.0. It mishandles brute-force attacks against MFA. | |||
| CVE-2019-20878 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. Changes, within the application, to e-mail addresses are mishandled. | |||
| CVE-2019-20879 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6.5, and 4.10.7. Changes to e-mail addresses do not require credential re-entry. |
- CVE-2018-21254Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.1. An attacker can bypass intended access control (for direct-message channel creation) via the Message slash command.
- CVE-2018-21260Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 4.8.1, 4.7.4, and 4.6.3. WebSocket events were accidentally sent during certain user-management operations, violating user privacy.
- CVE-2018-21251Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.2 and 5.1.1. Authorization could be bypassed if the channel name were not the same in the params and the body.
- CVE-2018-21249Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.3.0. It mishandles timing.
- CVE-2017-18870Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, and 4.3.4. It mishandled webhook access control in the EnableOnlyAdminIntegrations case.
- CVE-2018-21259Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 4.10.1, 4.9.4, and 4.8.2. It allows attackers to cause a denial of service (application hang) via a malformed link in a channel.
- CVE-2019-20889Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It mishandles permissions for user-access token creation.
- CVE-2019-20888Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It allows attackers to cause a denial of service (memory consumption) via an outgoing webhook or a slash command integration.
- CVE-2019-20886Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.8.0. The first user is sometimes inadvertently a system admin.
- CVE-2018-21263Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. An attacker could authenticate to a different user's account via a crafted SAML response.
- CVE-2018-21253Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.1, 5.0.2, and 4.10.2. An attacker could use the invite_people slash command to invite a non-permitted user.
- CVE-2019-20890Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.7. It allows a bypass of e-mail address discovery restrictions.
- CVE-2019-20884Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.8.0. It allows attackers to partially attach a file to more than one post.
- CVE-2019-20887Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.7.1, 5.6.4, 5.5.3, and 4.10.6. It does not honor flags API permissions when deciding whether a user can receive intra-team posts.
- CVE-2019-20885Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.8.0. It does not always generate a robots.txt file.
- CVE-2019-20883Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.8.0, when Town Square is set to Read-Only. Users can pin or unpin a post.
- CVE-2019-20882Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.8.0. It does not honor the domain requirement when processing a join request for an open team.
- CVE-2019-20881Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.8.0. It mishandles brute-force attacks against MFA.
- CVE-2019-20878Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. Changes, within the application, to e-mail addresses are mishandled.
- CVE-2019-20879Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6.5, and 4.10.7. Changes to e-mail addresses do not require credential re-entry.
Page 22 of 24