Vulnerabilities > Mattermost > Mattermost Server > 7.1.6

DATE CVE VULNERABILITY TITLE RISK
2023-03-15 CVE-2023-1421 Cross-site Scripting vulnerability in Mattermost Server
A reflected cross-site scripting vulnerability in the OAuth flow completion endpoints in Mattermost allows an attacker to send AJAX requests on behalf of the victim via sharing a crafted link with a malicious state parameter.
network
low complexity
mattermost CWE-79
6.1
2023-02-27 CVE-2023-27265 Exposure of Resource to Wrong Sphere vulnerability in Mattermost Server
Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the "Regenerate Invite Id" API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response.
network
low complexity
mattermost CWE-668
2.7
2023-02-27 CVE-2023-27266 Information Exposure vulnerability in Mattermost Server
Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the /api/v4/users/me/teams API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response.
network
low complexity
mattermost CWE-200
2.7
2022-09-23 CVE-2022-3257 Unrestricted Upload of File with Dangerous Type vulnerability in Mattermost Server
Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which allows authenticated users to cause resource exhaustion while processing the file, resulting in server-side Denial of Service.
network
low complexity
mattermost CWE-434
6.5