Vendor CVEs
Mattermost
All CVEs
523 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-21257 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.1. It allows attackers to bypass intended access restrictions (for setting a channel header) via the Channel header slash command API. | |||
| CVE-2018-21261 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 4.8.1, 4.7.4, and 4.6.3. An e-mail invite accidentally included the team invite_id, which leads to unintended excessive invitation privileges. | |||
| CVE-2018-21262 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 4.7.3. It allows attackers to cause a denial of service (application crash) via invalid LaTeX text. | |||
| CVE-2018-21265 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Desktop App before 4.0.0. It mishandled the Same Origin Policy for setPermissionRequestHandler (e.g., video, audio, and notifications). | |||
| CVE-2018-21250 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.2.2, 5.1.2, and 4.10.4. It allows remote attackers to cause a denial of service (memory consumption) via crafted image dimensions. | |||
| CVE-2018-21254 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.1. An attacker can bypass intended access control (for direct-message channel creation) via the Message slash command. | |||
| CVE-2018-21260 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 4.8.1, 4.7.4, and 4.6.3. WebSocket events were accidentally sent during certain user-management operations, violating user privacy. | |||
| CVE-2018-21251 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.2 and 5.1.1. Authorization could be bypassed if the channel name were not the same in the params and the body. | |||
| CVE-2018-21249 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.3.0. It mishandles timing. | |||
| CVE-2017-18870 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, and 4.3.4. It mishandled webhook access control in the EnableOnlyAdminIntegrations case. | |||
| CVE-2018-21259 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 4.10.1, 4.9.4, and 4.8.2. It allows attackers to cause a denial of service (application hang) via a malformed link in a channel. | |||
| CVE-2019-20889 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It mishandles permissions for user-access token creation. | |||
| CVE-2019-20888 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It allows attackers to cause a denial of service (memory consumption) via an outgoing webhook or a slash command integration. | |||
| CVE-2019-20886 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.8.0. The first user is sometimes inadvertently a system admin. | |||
| CVE-2018-21263 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. An attacker could authenticate to a different user's account via a crafted SAML response. | |||
| CVE-2018-21253 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.1, 5.0.2, and 4.10.2. An attacker could use the invite_people slash command to invite a non-permitted user. | |||
| CVE-2019-20890 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.7. It allows a bypass of e-mail address discovery restrictions. | |||
| CVE-2019-20884 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.8.0. It allows attackers to partially attach a file to more than one post. | |||
| CVE-2019-20887 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.7.1, 5.6.4, 5.5.3, and 4.10.6. It does not honor flags API permissions when deciding whether a user can receive intra-team posts. | |||
| CVE-2019-20885 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.8.0. It does not always generate a robots.txt file. | |||
| CVE-2019-20883 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.8.0, when Town Square is set to Read-Only. Users can pin or unpin a post. | |||
| CVE-2019-20882 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.8.0. It does not honor the domain requirement when processing a join request for an open team. | |||
| CVE-2019-20881 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.8.0. It mishandles brute-force attacks against MFA. | |||
| CVE-2019-20879 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6.5, and 4.10.7. Changes to e-mail addresses do not require credential re-entry. | |||
| CVE-2019-20878 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. Changes, within the application, to e-mail addresses are mishandled. | |||
| CVE-2019-20880 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6.5, and 4.10.7. It allows attackers to cause a denial of service (memory consumption) via OpenGraph. | |||
| CVE-2019-20877 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information about whether someone has 2FA enabled. | |||
| CVE-2019-20876 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. Users can deactivate themselves, bypassing a policy. | |||
| CVE-2019-20875 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows a password reset to proceed while an e-mail address is being changed. | |||
| CVE-2019-20874 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information during a role change. | |||
| CVE-2019-20873 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information during user activation/deactivation. | |||
| CVE-2019-20872 | 0.00 | — | 0.00 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. SSRF can attack local services. | |||
| CVE-2019-20870 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.10.0. An attacker can bypass the intended appearance of the Edited flag after changing a post's file ID. | |||
| CVE-2019-20869 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.10.0, 5.9.1, 5.8.2, and 4.10.9. A non-member could change the Update/Patch Channel endpoint for a private channel. | |||
| CVE-2019-20868 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.11.0. Invite IDs were improperly generated. | |||
| CVE-2019-20867 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.11.0. An attacker can interfere with a channel's post loading via one crafted post. | |||
| CVE-2019-20866 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.12.0. Use of a Proxy HTTP header, rather than the source address in an IP packet header, for obtaining IP address information was mishandled. | |||
| CVE-2019-20865 | 0.00 | — | 0.00 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.12.0, 5.11.1, 5.10.2, 5.9.2, and 4.10.10. The login page allows CSRF. | |||
| CVE-2019-20863 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.13.0. Incoming webhook creation is not properly restricted. | |||
| CVE-2019-20862 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.13.0. Non-members may fetch a team's slash commands. | |||
| CVE-2019-20861 | 0.00 | — | 0.02 | Jun 19, 2020 | An issue was discovered in Mattermost Desktop App before 4.2.2. It allows attackers to execute arbitrary code via a crafted link. | |||
| CVE-2019-20860 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.14.0, 5.13.3, 5.12.6, and 5.9.4. It allows remote attackers to cause a denial of service (application hang) via a crafted SVG document. | |||
| CVE-2019-20859 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.15.0. Login access control can be bypassed via crafted input. | |||
| CVE-2019-20858 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.15.0. It allows attackers to cause a denial of service (CPU consumption) via crafted characters in a SQL LIKE clause to an APIv4 endpoint. | |||
| CVE-2019-20857 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.16.0. It allows attackers to cause a denial of service (markdown renderer hang) via many backtick characters. | |||
| CVE-2019-20856 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Desktop App before 4.3.0 on macOS. It allows dylib injection. | |||
| CVE-2019-20855 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.16.1, 5.15.2, 5.14.5, and 5.9.6. It allows attackers to obtain sensitive information (local files) during legacy attachment migration. | |||
| CVE-2019-20854 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 5.17.0. It allows remote attackers to cause a denial of service (client-side application crash) via a LaTeX message. | |||
| CVE-2019-20853 | 0.00 | — | 0.02 | Jun 19, 2020 | An issue was discovered in Mattermost Packages before 5.16.3. A Droplet could allow Internet access to a service that has a remote code execution problem. | |||
| CVE-2019-20852 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Mobile Apps before 1.26.0. Local logging is not blocked for sensitive information (e.g., server addresses or message content). |
- CVE-2018-21257Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.1. It allows attackers to bypass intended access restrictions (for setting a channel header) via the Channel header slash command API.
- CVE-2018-21261Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 4.8.1, 4.7.4, and 4.6.3. An e-mail invite accidentally included the team invite_id, which leads to unintended excessive invitation privileges.
- CVE-2018-21262Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 4.7.3. It allows attackers to cause a denial of service (application crash) via invalid LaTeX text.
- CVE-2018-21265Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Desktop App before 4.0.0. It mishandled the Same Origin Policy for setPermissionRequestHandler (e.g., video, audio, and notifications).
- CVE-2018-21250Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.2.2, 5.1.2, and 4.10.4. It allows remote attackers to cause a denial of service (memory consumption) via crafted image dimensions.
- CVE-2018-21254Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.1. An attacker can bypass intended access control (for direct-message channel creation) via the Message slash command.
- CVE-2018-21260Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 4.8.1, 4.7.4, and 4.6.3. WebSocket events were accidentally sent during certain user-management operations, violating user privacy.
- CVE-2018-21251Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.2 and 5.1.1. Authorization could be bypassed if the channel name were not the same in the params and the body.
- CVE-2018-21249Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.3.0. It mishandles timing.
- CVE-2017-18870Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, and 4.3.4. It mishandled webhook access control in the EnableOnlyAdminIntegrations case.
- CVE-2018-21259Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 4.10.1, 4.9.4, and 4.8.2. It allows attackers to cause a denial of service (application hang) via a malformed link in a channel.
- CVE-2019-20889Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It mishandles permissions for user-access token creation.
- CVE-2019-20888Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It allows attackers to cause a denial of service (memory consumption) via an outgoing webhook or a slash command integration.
- CVE-2019-20886Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.8.0. The first user is sometimes inadvertently a system admin.
- CVE-2018-21263Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. An attacker could authenticate to a different user's account via a crafted SAML response.
- CVE-2018-21253Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.1, 5.0.2, and 4.10.2. An attacker could use the invite_people slash command to invite a non-permitted user.
- CVE-2019-20890Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.7. It allows a bypass of e-mail address discovery restrictions.
- CVE-2019-20884Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.8.0. It allows attackers to partially attach a file to more than one post.
- CVE-2019-20887Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.7.1, 5.6.4, 5.5.3, and 4.10.6. It does not honor flags API permissions when deciding whether a user can receive intra-team posts.
- CVE-2019-20885Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.8.0. It does not always generate a robots.txt file.
- CVE-2019-20883Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.8.0, when Town Square is set to Read-Only. Users can pin or unpin a post.
- CVE-2019-20882Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.8.0. It does not honor the domain requirement when processing a join request for an open team.
- CVE-2019-20881Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.8.0. It mishandles brute-force attacks against MFA.
- CVE-2019-20879Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6.5, and 4.10.7. Changes to e-mail addresses do not require credential re-entry.
- CVE-2019-20878Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. Changes, within the application, to e-mail addresses are mishandled.
- CVE-2019-20880Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6.5, and 4.10.7. It allows attackers to cause a denial of service (memory consumption) via OpenGraph.
- CVE-2019-20877Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information about whether someone has 2FA enabled.
- CVE-2019-20876Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. Users can deactivate themselves, bypassing a policy.
- CVE-2019-20875Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows a password reset to proceed while an e-mail address is being changed.
- CVE-2019-20874Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information during a role change.
- CVE-2019-20873Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information during user activation/deactivation.
- CVE-2019-20872Jun 19, 2020risk 0.00cvss —epss 0.00
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. SSRF can attack local services.
- CVE-2019-20870Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.10.0. An attacker can bypass the intended appearance of the Edited flag after changing a post's file ID.
- CVE-2019-20869Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.10.0, 5.9.1, 5.8.2, and 4.10.9. A non-member could change the Update/Patch Channel endpoint for a private channel.
- CVE-2019-20868Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.11.0. Invite IDs were improperly generated.
- CVE-2019-20867Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.11.0. An attacker can interfere with a channel's post loading via one crafted post.
- CVE-2019-20866Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.12.0. Use of a Proxy HTTP header, rather than the source address in an IP packet header, for obtaining IP address information was mishandled.
- CVE-2019-20865Jun 19, 2020risk 0.00cvss —epss 0.00
An issue was discovered in Mattermost Server before 5.12.0, 5.11.1, 5.10.2, 5.9.2, and 4.10.10. The login page allows CSRF.
- CVE-2019-20863Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.13.0. Incoming webhook creation is not properly restricted.
- CVE-2019-20862Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.13.0. Non-members may fetch a team's slash commands.
- CVE-2019-20861Jun 19, 2020risk 0.00cvss —epss 0.02
An issue was discovered in Mattermost Desktop App before 4.2.2. It allows attackers to execute arbitrary code via a crafted link.
- CVE-2019-20860Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.14.0, 5.13.3, 5.12.6, and 5.9.4. It allows remote attackers to cause a denial of service (application hang) via a crafted SVG document.
- CVE-2019-20859Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.15.0. Login access control can be bypassed via crafted input.
- CVE-2019-20858Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.15.0. It allows attackers to cause a denial of service (CPU consumption) via crafted characters in a SQL LIKE clause to an APIv4 endpoint.
- CVE-2019-20857Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.16.0. It allows attackers to cause a denial of service (markdown renderer hang) via many backtick characters.
- CVE-2019-20856Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Desktop App before 4.3.0 on macOS. It allows dylib injection.
- CVE-2019-20855Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.16.1, 5.15.2, 5.14.5, and 5.9.6. It allows attackers to obtain sensitive information (local files) during legacy attachment migration.
- CVE-2019-20854Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 5.17.0. It allows remote attackers to cause a denial of service (client-side application crash) via a LaTeX message.
- CVE-2019-20853Jun 19, 2020risk 0.00cvss —epss 0.02
An issue was discovered in Mattermost Packages before 5.16.3. A Droplet could allow Internet access to a service that has a remote code execution problem.
- CVE-2019-20852Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Mobile Apps before 1.26.0. Local logging is not blocked for sensitive information (e.g., server addresses or message content).
Page 10 of 11