Vulnerabilities > Mattermost > Mattermost Server > 9.4.3

DATE CVE VULNERABILITY TITLE RISK
2024-04-26 CVE-2024-32046 Information Exposure Through an Error Message vulnerability in Mattermost Server
Mattermost versions 9.6.x <= 9.6.0, 9.5.x <= 9.5.2, 9.4.x <= 9.4.4 and 8.1.x <= 8.1.11 fail to remove detailed error messages in API requests even if the developer mode is off which allows an attacker to get information about the server such as the full path were files are stored
network
low complexity
mattermost CWE-209
4.3
2024-04-26 CVE-2024-4182 Improper Check for Unusual or Exceptional Conditions vulnerability in Mattermost Server
Mattermost versions 9.6.0, 9.5.x before 9.5.3, 9.4.x before 9.4.5, and 8.1.x before 8.1.12 fail to handle JSON parsing errors in custom status values, which allows an authenticated attacker to crash other users' web clients via a malformed custom status.
network
low complexity
mattermost CWE-754
4.3
2024-04-26 CVE-2024-4183 Allocation of Resources Without Limits or Throttling vulnerability in Mattermost Server
Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active sessions, which allows an authenticated attacker to crash the server via repeated requests to the getSessions API after flooding the sessions table.
network
low complexity
mattermost CWE-770
6.5
2024-04-05 CVE-2024-28949 Allocation of Resources Without Limits or Throttling vulnerability in Mattermost Server
Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 don't limit the number of user preferences which allows an attacker to send a large number of user preferences potentially causing denial of service.
network
low complexity
mattermost CWE-770
6.5
2024-04-05 CVE-2024-29221 Unspecified vulnerability in Mattermost Server
Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the `/api/v4/users/me/teams` endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users, even if the "Add Members" permission was explicitly removed from team admins.
network
low complexity
mattermost
3.8
2024-04-05 CVE-2024-2447 Origin Validation Error vulnerability in Mattermost Server
Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x before 9.4.4, and 9.5.x before 9.5.2 fail to authenticate the source of certain types of post actions, allowing an authenticated attacker to create posts as other users via a crafted post action.
network
low complexity
mattermost CWE-346
6.5