Vulnerabilities > Mattermost > Mattermost Server > 6.3.9
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-03-31 | CVE-2023-1774 | Missing Authorization vulnerability in Mattermost Server When processing an email invite to a private channel on a team, Mattermost fails to validate the inviter's permission to that channel, allowing an attacker to invite themselves to a private channel. | 5.4 |
| 2023-03-31 | CVE-2023-1775 | Exposure of Resource to Wrong Sphere vulnerability in Mattermost Server When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients. | 6.5 |
| 2023-03-31 | CVE-2023-1776 | Cross-site Scripting vulnerability in Mattermost Server Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file. | 5.4 |
| 2023-03-31 | CVE-2023-1777 | Exposure of Resource to Wrong Sphere vulnerability in Mattermost Server Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message. | 5.3 |
| 2023-03-15 | CVE-2023-1421 | Cross-site Scripting vulnerability in Mattermost Server A reflected cross-site scripting vulnerability in the OAuth flow completion endpoints in Mattermost allows an attacker to send AJAX requests on behalf of the victim via sharing a crafted link with a malicious state parameter. | 6.1 |
| 2023-02-27 | CVE-2023-27265 | Exposure of Resource to Wrong Sphere vulnerability in Mattermost Server Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the "Regenerate Invite Id" API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response. | 2.7 |
| 2023-02-27 | CVE-2023-27266 | Information Exposure vulnerability in Mattermost Server Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the /api/v4/users/me/teams API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response. | 2.7 |
| 2022-09-23 | CVE-2022-3257 | Unrestricted Upload of File with Dangerous Type vulnerability in Mattermost Server Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which allows authenticated users to cause resource exhaustion while processing the file, resulting in server-side Denial of Service. | 6.5 |
| 2022-09-09 | CVE-2022-3147 | Allocation of Resources Without Limits or Throttling vulnerability in Mattermost Server Mattermost version 7.0.x and earlier fails to sufficiently limit the in-memory sizes of concurrently uploaded JPEG images, which allows authenticated users to cause resource exhaustion on specific system configurations, resulting in server-side Denial of Service. | 6.5 |
| 2022-04-19 | CVE-2022-1384 | Missing Authorization vulnerability in Mattermost Server Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which allows an authenticated and an authorized user to install and exploit an old plugin version from the Marketplace which might have known vulnerabilities. | 8.8 |