Vulnerabilities > Mattermost > Mattermost Server
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-12-12 | CVE-2023-49874 | Unspecified vulnerability in Mattermost Server Mattermost fails to check whether a user is a guest when updating the tasks of a private playbook run allowing a guest to update the tasks of a private playbook run if they know the run ID. | 4.3 |
| 2023-12-12 | CVE-2023-6547 | Unspecified vulnerability in Mattermost Server Mattermost fails to validate team membership when a user attempts to access a playbook, allowing a user with permissions to a playbook but no permissions to the team the playbook is on to access and modify the playbook. | 5.4 |
| 2023-12-06 | CVE-2023-6458 | Injection vulnerability in Mattermost Server Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perform a client-side path traversal. | 9.8 |
| 2023-12-06 | CVE-2023-6459 | Unspecified vulnerability in Mattermost Server Mattermost is grouping calls in the /metrics endpoint by id and reports that id in the response. | 5.3 |
| 2023-10-09 | CVE-2023-5330 | Allocation of Resources Without Limits or Throttling vulnerability in Mattermost Server Mattermost fails to enforce a limit for the size of the cache entry for OpenGraph data allowing an attacker to send a specially crafted request to the /api/v4/opengraph filling the cache and turning the server unavailable. | 7.5 |
| 2023-10-09 | CVE-2023-5331 | Missing Authorization vulnerability in Mattermost Server Mattermost fails to properly check the creator of an attached file when adding the file to a draft post, potentially exposing unauthorized file information. | 5.3 |
| 2023-10-09 | CVE-2023-5333 | Unspecified vulnerability in Mattermost Server Mattermost fails to deduplicate input IDs allowing a simple user to cause the application to consume excessive resources and possibly crash by sending a specially crafted request to /api/v4/users/ids with multiple identical IDs. | 6.5 |
| 2023-08-25 | CVE-2023-4478 | Injection vulnerability in Mattermost Server Mattermost fails to restrict which parameters' values it takes from the request during signup allowing an attacker to register users as inactive, thus blocking them from later accessing Mattermost without the system admin activating their accounts. | 8.2 |
| 2023-07-17 | CVE-2023-3577 | Server-Side Request Forgery (SSRF) vulnerability in Mattermost Server Mattermost fails to properly restrict requests to localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited blind SSRF. | 4.3 |
| 2023-07-17 | CVE-2023-3581 | Origin Validation Error vulnerability in Mattermost Server Mattermost fails to properly validate the origin of a websocket connection allowing a MITM attacker on Mattermost to access the websocket APIs. | 8.1 |