Vulnerabilities > Mattermost > Mattermost Server > 4.10.6
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-01-02 | CVE-2023-47858 | Unspecified vulnerability in Mattermost Server Mattermost fails to properly verify the permissions needed for viewing archived public channels, allowing a member of one team to get details about the archived public channels of another team via the GET /api/v4/teams/<team-id>/channels/deleted endpoint. | 4.3 |
| 2024-01-02 | CVE-2023-48732 | Unspecified vulnerability in Mattermost Server Mattermost fails to scope the WebSocket response around notified users to a each user separately resulting in the WebSocket broadcasting the information about who was notified about a post to everyone else in the channel. | 4.3 |
| 2024-01-02 | CVE-2023-50333 | Unspecified vulnerability in Mattermost Server Mattermost fails to update the permissions of the current session for a user who was just demoted to guest, allowing freshly demoted guests to change group names. | 4.3 |
| 2023-12-29 | CVE-2023-7113 | Cross-site Scripting vulnerability in Mattermost Server Mattermost version 8.1.6 and earlier fails to sanitize channel mention data in posts, which allows an attacker to inject markup in the web client. | 6.1 |
| 2023-12-12 | CVE-2023-6727 | Unspecified vulnerability in Mattermost Server Mattermost fails to perform correct authorization checks when creating a playbook action, allowing users without access to the playbook to create playbook actions. | 4.3 |
| 2023-12-12 | CVE-2023-49809 | Resource Exhaustion vulnerability in Mattermost Server Mattermost fails to handle a null request body in the /add endpoint, allowing a simple member to send a request with null request body to that endpoint and make it crash. | 6.5 |
| 2023-12-12 | CVE-2023-6547 | Unspecified vulnerability in Mattermost Server Mattermost fails to validate team membership when a user attempts to access a playbook, allowing a user with permissions to a playbook but no permissions to the team the playbook is on to access and modify the playbook. | 5.4 |
| 2023-12-06 | CVE-2023-6458 | Injection vulnerability in Mattermost Server Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perform a client-side path traversal. | 9.8 |
| 2023-12-06 | CVE-2023-6459 | Unspecified vulnerability in Mattermost Server Mattermost is grouping calls in the /metrics endpoint by id and reports that id in the response. | 5.3 |
| 2023-10-09 | CVE-2023-5330 | Allocation of Resources Without Limits or Throttling vulnerability in Mattermost Server Mattermost fails to enforce a limit for the size of the cache entry for OpenGraph data allowing an attacker to send a specially crafted request to the /api/v4/opengraph filling the cache and turning the server unavailable. | 7.5 |