Vulnerabilities > Mattermost > Mattermost Server > 6.3.9
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-10-09 | CVE-2023-5333 | Unspecified vulnerability in Mattermost Server Mattermost fails to deduplicate input IDs allowing a simple user to cause the application to consume excessive resources and possibly crash by sending a specially crafted request to /api/v4/users/ids with multiple identical IDs. | 6.5 |
2023-08-25 | CVE-2023-4478 | Injection vulnerability in Mattermost Server Mattermost fails to restrict which parameters' values it takes from the request during signup allowing an attacker to register users as inactive, thus blocking them from later accessing Mattermost without the system admin activating their accounts. | 8.2 |
2023-07-17 | CVE-2023-3585 | Resource Exhaustion vulnerability in Mattermost Server Mattermost Boards fail to properly validate a board link, allowing an attacker to crash a channel by posting a specially crafted boards link. | 4.3 |
2023-07-17 | CVE-2023-3613 | Incorrect Authorization vulnerability in Mattermost Server Mattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing guest accounts to be added or invited to channels by default. | 3.5 |
2023-07-17 | CVE-2023-3614 | Resource Exhaustion vulnerability in Mattermost Server Mattermost fails to properly validate a gif image file, allowing an attacker to consume a significant amount of server resources, making the server unresponsive for an extended period of time by linking to specially crafted image file. | 3.3 |
2023-05-12 | CVE-2023-2515 | Incorrect Authorization vulnerability in Mattermost Server Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin | 8.8 |
2023-04-25 | CVE-2023-2281 | Unspecified vulnerability in Mattermost Server When archiving a team, Mattermost fails to sanitize the related Websocket event sent to currently connected clients. | 4.3 |
2023-04-17 | CVE-2023-1831 | Cleartext Transmission of Sensitive Information vulnerability in Mattermost Server Mattermost fails to redact from audit logs the user password during user creation and the user password hash in other operations if the experimental audit logging configuration was enabled (ExperimentalAuditSettings section in config). | 7.5 |
2023-03-31 | CVE-2023-1774 | Missing Authorization vulnerability in Mattermost Server When processing an email invite to a private channel on a team, Mattermost fails to validate the inviter's permission to that channel, allowing an attacker to invite themselves to a private channel. | 5.4 |
2023-03-31 | CVE-2023-1775 | Exposure of Resource to Wrong Sphere vulnerability in Mattermost Server When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients. | 6.5 |