HIGH8.8CVE-2024-2450Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to correctly verify account ow… >= 8.1.0, < 8.1.10, >= 9.2.0, < 9.2.6, >= 9.3.0, < 9.3.2, >= 9.4.0, < 9.4.3 | >= 9.5.0, <= 9.5.0
HIGH8.8CVE-2023-45316Mattermost fails to validate if a relative path is passed in /plugins/playbooks/api/v0/telemetry/run/<telem_run_id> as a telemetry run ID,… from 0, < 7.8.15, >= 8.0.0, < 8.1.6, >= 9.0.0, < 9.0.4, >= 9.1.1, < 9.1.3, >= 9.2.0, < 9.2.2
HIGH8.8Mattermost Incorrect Authorization vulnerability
from 0, < 7.1.8, >= 7.2.0, < 7.7.4, >= 7.8.0, < 7.8.3, >= 7.9.0, < 7.9.2
HIGH8.8Insecure plugin handling in Mattermost in github.com/mattermost/mattermost-server
from 0, < 6.5.0
HIGH8.2Mattermost fails to invalidate previously generated password reset tokens when a new reset token was created.
>= 7.8.0, < 7.8.7, >= 7.9.0, < 7.9.5, >= 7.10.0, < 7.10.3
HIGH8.2Mattermost fails to restrict which parameters' values it takes from the request during signup allowing an attacker to register users as ina…
from 0, < 7.8.9, >= 7.9.0, < 7.10.5 | >= 8.0.0, <= 8.0.0
HIGH8.1Mattermost fails to properly validate the origin of a websocket connection allowing a MITM attacker on Mattermost to access the websocket A…
>= 7.8.0, < 7.8.7, >= 7.9.0, < 7.9.5, >= 7.10.0, < 7.10.3
HIGH7.5Mattermost Fails to Enforce MFA on Plugin Endpoints in github.com/mattermost/mattermost-server
>= 9.11.0, < 10.0.0, >= 10.3.0, < 10.5.1
HIGH7.5An issue was discovered in Mattermost Server before 5.23.0.
from 0, < 5.23.0
HIGH7.5An issue was discovered in Mattermost Server before 5.23.0.
from 0, < 5.23.0
HIGH7.5An issue was discovered in Mattermost Server before 5.22.0.
from 0, < 5.22.0
HIGH7.5An issue was discovered in Mattermost Server before 5.21.0.
from 0, < 5.21.0
HIGH7.5An issue was discovered in Mattermost Server before 5.19.0.
from 0, < 5.19.0
HIGH7.5An issue was discovered in Mattermost Server before 5.19.0.
from 0, < 5.19.0
HIGH7.5A call stack overflow bug in the SAML login feature in Mattermost server in versions up to and including 6.3.2 allows an attacker to crash…
from 0, < 5.37.8, >= 6.0.0, < 6.1.3, >= 6.2.0, < 6.2.3, >= 6.3.0, < 6.3.3
HIGH7.5Mattermost fails to redact from audit logs the user password during user creation and the user password hash in other operations if the exp…
from 0, < 7.7.3, >= 7.8.0, < 7.8.2 | >= 7.9.0, <= 7.9.0
HIGH7.5Mattermost fails to delete card attachments in Boards, allowing an attacker to access deleted attachments.
>= 7.10.0, < 7.10.3
HIGH7.5Mattermost fails to to check the length when setting the title in a run checklist in Playbooks, allowing an attacker to send a specially cr…
from 0, < 7.8.15, >= 8.0.0, < 8.1.6, >= 9.0.0, < 9.0.4, >= 9.1.1, < 9.1.3, >= 9.2.0, < 9.2.2
HIGH7.5Mattermost fails to validate the type of the "reminder" body request parameter allowing an attacker to crash the Playbook Plugin when updat…
from 0, < 7.8.15, >= 8.0.0, < 8.1.6, >= 9.0.0, < 9.0.4, >= 9.1.0, < 9.1.3, >= 9.2.0, < 9.2.2
HIGH7.5Mattermost fails to enforce a limit for the size of the cache entry for OpenGraph data allowing an attacker to send a specially crafted req…
from 0, < 7.8.11, >= 8.0.0, < 8.0.3, >= 8.1.0, < 8.1.2
HIGH7.1Mattermost Injection vulnerability
from 0, < 7.8.14, >= 8.0.0, < 8.1.5, >= 9.0.0, < 9.0.3, >= 9.1.0, < 9.1.2
MEDIUM6.5Mattermost fails to authenticate the source of certain types of post actions in github.com/mattermost/mattermost-server
>= 8.1.0, < 8.1.11, >= 9.3.0, < 9.3.3, >= 9.4.0, < 9.4.4, >= 9.5.0, < 9.5.2
MEDIUM6.5An issue was discovered in Mattermost Server before 5.19.0, 5.18.1, 5.17.3, 5.16.5, and 5.9.8.
from 0, < 5.9.8, >= 5.16.0, < 5.16.5, >= 5.17.0, < 5.17.3, >= 5.18.0, < 5.18.1 | >= 5.19.0-rc1, <= 5.19.0-rc1, >= 5.19.0-rc2, <= 5.19.0-rc2, >= 5.19.0-rc3, <= 5.19.0-rc3
MEDIUM6.5A stack overflow bug in the document extractor in Mattermost Server in versions up to and including 6.3.2 allows an attacker to crash the s…
>= 5.0.0, < 5.37.8, >= 6.0.0, < 6.1.3, >= 6.2.0, < 6.2.3, >= 6.3.0, < 6.3.3
MEDIUM6.5Mattermost version 7.0.x and earlier fails to sufficiently limit the in-memory sizes of concurrently uploaded JPEG images, which allows aut…
from 0, < 7.1.0
MEDIUM6.5Mattermost fails to properly validate markdown, allowing an attacker to crash the server via a specially crafted markdown input.
>= 7.8.0, < 7.8.7, >= 7.9.0, < 7.9.5, >= 7.10.0, < 7.10.3
MEDIUM6.5Mattermost fails to handle a null request body in the /add endpoint, allowing a simple member to send a request with null request body to t…
from 0, < 8.1.6, >= 9.0.0, < 9.1.1
MEDIUM6.5Mattermost fails to deduplicate input IDs allowing a simple user to cause the application to consume excessive resources and possibly crash…
from 0, < 7.8.11, >= 8.0.0, < 8.0.3, >= 8.1.0, < 8.1.2
MEDIUM6.5Mattermost vulnerable to information disclosure
from 0, < 7.1.6 | >= 7.7.1, <= 7.7.1
MEDIUM6.5Mattermost subject to Denial of Service via upload of special GIF
from 0, < 7.2.0
MEDIUM6.5Mattermost users could access some sensitive information via API call in github.com/mattermost/mattermost-server
from 0, < 6.3.9, >= 6.4.0, < 6.5.2 | >= 6.6.0, <= 6.6.0, >= 6.6.1, <= 6.6.1, >= 6.7.0, <= 6.7.0
MEDIUM6.5Uncontrolled Resource Consumption in Mattermost server
>= 5.0.0, < 6.3.8, >= 6.4.0, < 6.4.3 | >= 6.5.0, <= 6.5.0, >= 6.6.0, <= 6.6.0
MEDIUM6.5Resource exhaustion in Mattermost in github.com/mattermost/mattermost-server
>= 5.37.0, < 5.37.9, >= 6.2.0, < 6.2.5, >= 6.3.0, < 6.3.5, >= 6.4.0, < 6.4.2
MEDIUM6.1Mattermost Jira plugin versions shipped with Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x bef…
>= 8.1.0, < 8.1.10, >= 9.2.0, < 9.2.6, >= 9.3.0, < 9.3.2, >= 9.4.0, < 9.4.3
MEDIUM6.1A reflected cross-site scripting vulnerability in the OAuth flow completion endpoints in Mattermost allows an attacker to send AJAX request…
>= 5.32.0, < 7.7.0
MEDIUM6.0Mattermost allows user with systems manager role with read-only access to teams to perform write operations on teams in github.com/mattermost/mattermost-server
>= 9.5.0, < 9.5.8, >= 9.8.0, < 9.8.3, >= 9.9.0, < 9.9.2 | >= 9.10.0, <= 9.10.0
MEDIUM5.7Mattermost 6.0 and earlier fails to sufficiently validate parameters during post creation, which allows authenticated attackers to cause a…
from 0, < 6.0.1
MEDIUM5.5Mattermost allows remote actor to create/update/delete posts in arbitrary channels in github.com/mattermost/mattermost-server
>= 9.5.0, < 9.5.7, >= 9.7.0, < 9.7.6, >= 9.8.0, < 9.8.2 | >= 9.9.0, <= 9.9.0
MEDIUM5.4Mattermost allows members with permission to convert public channels to private and convert private to public in github.com/mattermost/mattermost-server
>= 9.11.0, < 10.0.0, >= 10.3.0, < 10.5.1
MEDIUM5.4Mattermost versions 9.11.x <= 9.11.0, 9.10.x <= 9.10.1, 9.9.x <= 9.9.2 and 9.5.x <= 9.5.8 fail to properly authorize requests when viewing…
>= 9.5.0, < 9.5.9, >= 9.9.0, < 9.9.3, >= 9.10.0, < 9.10.2 | >= 9.11.0-rc1, <= 9.11.0-rc1, >= 9.11.0-rc2, <= 9.11.0-rc2, >= 9.11.0-rc3, <= 9.11.0-rc3, >= 9.11.0, <= 9.11.0
MEDIUM5.4Mattermost versions 9.5.x <= 9.5.8 fail to include the metadata endpoints of Oracle Cloud and Alibaba in the SSRF denylist, which allows an…
>= 9.5.0, < 9.5.9
MEDIUM5.4Mattermost fails to strip `embeds` from `metadata` when broadcasting `posted` events in github.com/mattermost/mattermost-server
>= 9.5.0, < 9.5.9 | >= 9.11.0-rc1, <= 9.11.0-rc1, >= 9.11.0-rc2, <= 9.11.0-rc2, >= 9.11.0-rc3, <= 9.11.0-rc3, >= 9.11.0, <= 9.11.0
MEDIUM5.4Mattermost 6.0 and earlier fails to sufficiently validate the email address during registration, which allows attackers to trick users into…
from 0, < 6.0.1
MEDIUM5.4Mattermost fails to disable public Boards after the "Enable Publicly-Shared Boards" configuration option is disabled, resulting in previous…
>= 7.8.0, < 7.8.7, >= 7.9.0, < 7.9.5, >= 7.10.0, < 7.10.3
MEDIUM5.4Mattermost fails to validate team membership when a user attempts to access a playbook, allowing a user with permissions to a playbook but…
from 0, < 8.1.6, >= 9.2.0, < 9.2.2
MEDIUM5.4Mattermost vulnerable to cross-site scripting (XSS)
from 0, < 7.1.6 | >= 7.7.1, <= 7.7.1
MEDIUM5.4Mattermost fails to properly authentication inviter's permissions to private channel
from 0, < 7.1.6 | >= 7.7.1, <= 7.7.1
MEDIUM5.3An issue was discovered in Mattermost Server before 5.21.0.
from 0, < 5.21.0
MEDIUM5.3Incorrect default configuration for trusted IP header in Mattermost version 6.7.0 and earlier allows attacker to bypass some of the rate li…
from 0, < 6.3.9, >= 6.4.0, < 6.5.2, >= 6.6.0, < 6.6.2 | >= 6.7.0, <= 6.7.0
MEDIUM5.3Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plu…
from 0, < 7.8.15, >= 8.0.0, < 8.1.6, >= 9.0.0, < 9.0.4, >= 9.1.1, < 9.1.3, >= 9.2.0, < 9.2.2
MEDIUM5.3Mattermost fails to properly check the creator of an attached file when adding the file to a draft post, potentially exposing unauthorized…
from 0, < 7.8.11, >= 8.0.0, < 8.0.3, >= 8.1.0, < 8.1.2
MEDIUM5.3Mattermost Exposure of Sensitive Information to an Unauthorized Actor vulnerability
from 0, < 7.8.14, >= 8.0.0, < 8.1.5
MEDIUM5.3Mattermost vulnerable to information disclosure
from 0, < 7.1.6 | >= 7.7.1, <= 7.7.1, >= 7.8.0, <= 7.8.0
MEDIUM5.3Mattermost Server Sensitive Data Exposure in github.com/mattermost/mattermost
from 0, < 5.20.0
MEDIUM4.8Mattermost versions 9.11.x <= 9.11.2, and 9.5.x <= 9.5.10 fail to protect the mfa code against replay attacks, which allows an attacker to…
>= 9.5.0, < 9.5.11, >= 9.11.0, < 9.11.3
MEDIUM4.7Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server
>= 8.1.0, < 8.1.11, >= 9.3.0, < 9.3.3, >= 9.4.0, < 9.4.4, >= 9.5.0, < 9.5.2
MEDIUM4.6Mattermost Server Path Traversal vulnerability that leads to Cross-Site Request Forgery in github.com/mattermost/mattermost-server
>= 9.5.0, <= 9.5.9, >= 9.10.0, <= 9.10.2, >= 9.11.0, <= 9.11.1
MEDIUM4.6Improper Control of a Resource Through its Lifetime in Mattermost in github.com/mattermost/mattermost-server
from 0, < 6.5.0
MEDIUM4.3Mattermost Fails to Enforce Certain Search APIs in github.com/mattermost/mattermost-server
>= 9.11.0, < 10.0.0, >= 10.3.0, < 10.5.1
MEDIUM4.3Mattermost Fails to Restrict Command Execution in Archived Channels in github.com/mattermost/mattermost-server
>= 9.11.0, < 10.0.0, >= 10.3.0, < 10.5.1
MEDIUM4.3Mattermost Fails to Restrict Bookmark Creation and Updates in Archived Channels in github.com/mattermost/mattermost-server
>= 9.11.0, < 10.0.0, >= 10.3.0, < 10.5.1
MEDIUM4.3Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to limit the number of @-menti…
>= 8.1.0, < 8.1.10, >= 9.2.0, < 9.2.6, >= 9.3.0, < 9.3.2, >= 9.4.0, < 9.4.3
MEDIUM4.3Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 and 10.0.x <= 10.0.0 fail to properly authorize the requests to /api…
>= 9.5.0, < 9.5.10, >= 9.10.0, < 9.10.3, >= 9.11.0, < 9.11.2 | >= 10.0.0-rc1, <= 10.0.0-rc1, >= 10.0.0-rc2, <= 10.0.0-rc2, >= 10.0.0-rc3, <= 10.0.0-rc3, >= 10.0.0-rc4, <= 10.0.0-rc4, >= 10.0.0, <= 10.0.0
MEDIUM4.3Mattermost versions 10.0.x <= 10.0.0 and 9.11.x <= 9.11.2 fail to properly query ElasticSearch when searching for the channel name in chann…
>= 9.11.0, < 9.11.3 | >= 10.0.0-rc1, <= 10.0.0-rc1, >= 10.0.0-rc2, <= 10.0.0-rc2, >= 10.0.0-rc3, <= 10.0.0-rc3, >= 10.0.0-rc4, <= 10.0.0-rc4, >= 10.0.0, <= 10.0.0
MEDIUM4.3Mattermost versions 9.5.x <= 9.5.8 fail to properly authorize access to archived channels when viewing archived channels is disabled, which…
>= 9.5.0, < 9.5.9
MEDIUM4.3Mattermost allows guest user with read access to upload files to a channel in github.com/mattermost/mattermost-server
>= 9.5.0, < 9.5.8, >= 9.8.0, < 9.8.3, >= 9.9.0, < 9.9.2 | >= 9.10.0, <= 9.10.0
MEDIUM4.3Mattermost allows a user on a remote to set their remote username prop to an arbitrary string in github.com/mattermost/mattermost-server
>= 9.5.0, < 9.5.7, >= 9.7.0, < 9.7.6, >= 9.8.0, < 9.8.2 | >= 9.9.0, <= 9.9.0
MEDIUM4.3Mattermost Server doesn't limit the number of user preferences in github.com/mattermost/mattermost-server
>= 8.1.0, < 8.1.11, >= 9.3.0, < 9.3.3, >= 9.4.0, < 9.4.4, >= 9.5.0, < 9.5.2
MEDIUM4.3When archiving a team, Mattermost fails to sanitize the related Websocket event sent to currently connected clients.
from 0, < 7.9.0
MEDIUM4.3Mattermost fails to properly restrict requests to localhost/intranet during the interactive dialog, which could allow an attacker to perfor…
>= 7.8.0, < 7.8.7, >= 7.10.0, < 7.10.3
MEDIUM4.3Mattermost fails to verify channel membership when linking a board to a channel allowing a low-privileged authenticated user to link a Boar…
>= 7.8.0, < 7.8.7, >= 7.9.0, < 7.9.5, >= 7.10.0, < 7.10.3
MEDIUM4.3Mattermost Boards fail to properly validate a board link, allowing an attacker to crash a channel by posting a specially crafted boards lin…
from 0, < 7.8.7, >= 7.9.0, < 7.9.5, >= 7.10.0, < 7.10.3
MEDIUM4.3Mattermost fails to check whether a user is a guest when updating the tasks of a private playbook run allowing a guest to update the tasks…
from 0, < 7.8.15, >= 8.0.0, < 8.1.6, >= 9.0.0, < 9.0.4, >= 9.1.1, < 9.1.3, >= 9.2.0, < 9.2.2
MEDIUM4.3Mattermost fails to perform correct authorization checks when creating a playbook action, allowing users without access to the playbook to…
from 0, < 8.1.6, >= 9.2.0, < 9.2.2
MEDIUM4.3Mattermost allows attackers access to posts in channels they are not a member of in github.com/mattermost/mattermost-server
>= 8.1.0, < 8.1.9, >= 9.2.0, < 9.2.5 | >= 9.3.0, <= 9.3.0
MEDIUM4.3Mattermost fails to limit the number of role names in github.com/mattermost/mattermost-server
>= 8.1.0, < 8.1.9, >= 9.2.0, < 9.2.5, >= 9.4.0, < 9.4.2 | >= 9.3.0, <= 9.3.0
MEDIUM4.3Mattermost leaks details of AD/LDAP groups of a teams in github.com/mattermost/mattermost-server
from 0, < 8.1.9, >= 9.0.0, < 9.2.5, >= 9.4.0, < 9.4.2 | >= 9.3.0-rc1, <= 9.3.0-rc1, >= 9.3.0-rc2, <= 9.3.0-rc2, >= 9.3.0, <= 9.3.0
MEDIUM4.3Mattermost denial of service through long emoji value in github.com/mattermost/mattermost-server
from 0, < 8.1.8, >= 9.0.0, < 9.1.5, >= 9.2.0, < 9.2.4
MEDIUM4.3Mattermost vulnerable to denial of service via large number of emoji reactions in github.com/mattermost/mattermost-server
from 0, < 9.6.1
MEDIUM4.3Mattermost viewing archived public channels permissions vulnerability in github.com/mattermost/mattermost-server
from 0, < 8.1.7, >= 9.0.0, < 9.0.5, >= 9.1.0, < 9.1.4, >= 9.2.0, < 9.2.3
MEDIUM4.3Mattermost notified all users in the channel when using WebSockets to respond individually in github.com/mattermost/mattermost-server
from 0, < 8.1.7
MEDIUM4.3Improper Privilege Management in Mattermost in github.com/mattermost/mattermost-server
>= 5.37.0, < 5.37.9, >= 6.2.0, < 6.2.5, >= 6.3.0, < 6.3.5, >= 6.4.0, < 6.4.2
MEDIUM4.1Mattermost allows a remote actor to make an arbitrary local channel read-only in github.com/mattermost/mattermost-server
>= 9.5.0, < 9.5.7, >= 9.7.0, < 9.7.6, >= 9.8.0, < 9.8.2 | >= 9.9.0, <= 9.9.0
LOW3.8Mattermost did not properly restrict channel creation in github.com/mattermost/mattermost-server
>= 9.5.0, < 9.5.7 | >= 9.9.0, <= 9.9.0
LOW3.7Mattermost Desktop App fails to safeguard screen capture functionality
from 0, < 5.9.0
LOW3.7Mattermost allows demoted guests to change group names in github.com/mattermost/mattermost-server
from 0, < 8.1.7
LOW3.7Mattermost Cross-site Scripting vulnerability in github.com/mattermost/mattermost-server
from 0, < 8.1.7
LOW3.5Mattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing guest accounts t…
from 0, < 7.8.6, >= 7.9.0, < 7.10.3
LOW3.5Cross-site request forgery via logout button in github.com/mattermost/mattermost-plugin-jira
from 0, < 9.6.1
LOW3.4Mattermost Jira Plugin does not properly check security levels in github.com/mattermost/mattermost-plugin-jira
from 0, < 9.6.1
LOW3.3Mattermost fail to prompt for explicit approval before adding a team admin to a private channel in github.com/mattermost/mattermost-server
>= 9.11.0, < 10.0.0
LOW3.3Mattermost fails to properly validate a gif image file, allowing an attacker to consume a significant amount of server resources, making th…
from 0, < 7.8.7, >= 7.9.0, < 7.9.5, >= 7.10.0, < 7.10.3
LOW3.1Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server
>= 8.1.0, < 8.1.11
LOW3.1Mattermost Server Resource Exhaustion in github.com/mattermost/mattermost-server
>= 8.1.0, < 8.1.10
LOW3.1Mattermost fails to properly check the authorization of POST /api/v4/teams when passing a team override scheme ID in the request, allowing…
>= 7.8.0, < 7.8.5, >= 7.10.0, < 7.10.3
LOW3.1Mattermost incorrectly allows access individual posts in github.com/mattermost/mattermost-server
>= 8.1.0, < 8.1.9
LOW3.1Mattermost fails to check the required permissions in github.com/mattermost/mattermost-server
from 0, < 9.6.1
LOW2.7Mattermost allows team admin user without "Add Team Members" permission to disable invite URL in github.com/mattermost/mattermost-server
>= 9.5.0, < 9.5.8 | >= 9.10.0, <= 9.10.0
LOW2.7Mattermost allows remote actor to set arbitrary RemoteId values for synced users in github.com/mattermost/mattermost-server
>= 9.5.0, < 9.5.7 | >= 9.9.0, <= 9.9.0
LOW2.7Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the "Regenerate Invite Id" API endpoint, allowing an…
>= 5.12.0, < 7.7.0