Vulnerabilities > Mattermost > Mattermost Server > 9.6.0
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-04-26 | CVE-2024-22091 | Allocation of Resources Without Limits or Throttling vulnerability in Mattermost Server Mattermost versions 8.1.x <= 8.1.10, 9.6.x <= 9.6.0, 9.5.x <= 9.5.2 and 8.1.x <= 8.1.11 fail to limit the size of a request path that includes user inputs which allows an attacker to cause excessive resource consumption, possibly leading to a DoS via sending large request paths | 6.5 |
| 2024-04-26 | CVE-2024-32046 | Information Exposure Through an Error Message vulnerability in Mattermost Server Mattermost versions 9.6.x <= 9.6.0, 9.5.x <= 9.5.2, 9.4.x <= 9.4.4 and 8.1.x <= 8.1.11 fail to remove detailed error messages in API requests even if the developer mode is off which allows an attacker to get information about the server such as the full path were files are stored | 4.3 |
| 2024-04-26 | CVE-2024-4182 | Improper Check for Unusual or Exceptional Conditions vulnerability in Mattermost Server Mattermost versions 9.6.0, 9.5.x before 9.5.3, 9.4.x before 9.4.5, and 8.1.x before 8.1.12 fail to handle JSON parsing errors in custom status values, which allows an authenticated attacker to crash other users' web clients via a malformed custom status. | 4.3 |
| 2024-04-26 | CVE-2024-4183 | Allocation of Resources Without Limits or Throttling vulnerability in Mattermost Server Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active sessions, which allows an authenticated attacker to crash the server via repeated requests to the getSessions API after flooding the sessions table. | 6.5 |
| 2024-04-26 | CVE-2024-4198 | Unspecified vulnerability in Mattermost Server Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes which allows an attacker authenticated as team admin to demote users to guest via crafted HTTP requests. | 2.7 |