Vulnerabilities > Mattermost > Mattermost Server

DATE CVE VULNERABILITY TITLE RISK
2023-05-12 CVE-2023-2515 Incorrect Authorization vulnerability in Mattermost Server
Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin
network
low complexity
mattermost CWE-863
8.8
2023-04-25 CVE-2023-2281 Unspecified vulnerability in Mattermost Server
When archiving a team, Mattermost fails to sanitize the related Websocket event sent to currently connected clients.
network
low complexity
mattermost
4.3
2023-04-17 CVE-2023-1831 Cleartext Transmission of Sensitive Information vulnerability in Mattermost Server
Mattermost fails to redact from audit logs the user password during user creation and the user password hash in other operations if the experimental audit logging configuration was enabled (ExperimentalAuditSettings section in config).
network
low complexity
mattermost CWE-319
7.5
2023-03-31 CVE-2023-1774 Missing Authorization vulnerability in Mattermost Server
When processing an email invite to a private channel on a team, Mattermost fails to validate the inviter's permission to that channel, allowing an attacker to invite themselves to a private channel.
network
low complexity
mattermost CWE-862
5.4
2023-03-31 CVE-2023-1775 Exposure of Resource to Wrong Sphere vulnerability in Mattermost Server
When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients.
network
low complexity
mattermost CWE-668
6.5
2023-03-31 CVE-2023-1776 Cross-site Scripting vulnerability in Mattermost Server
Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file.
network
low complexity
mattermost CWE-79
5.4
2023-03-31 CVE-2023-1777 Exposure of Resource to Wrong Sphere vulnerability in Mattermost Server
Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message.
network
low complexity
mattermost CWE-668
5.3
2023-03-15 CVE-2023-1421 Cross-site Scripting vulnerability in Mattermost Server
A reflected cross-site scripting vulnerability in the OAuth flow completion endpoints in Mattermost allows an attacker to send AJAX requests on behalf of the victim via sharing a crafted link with a malicious state parameter.
network
low complexity
mattermost CWE-79
6.1
2023-02-27 CVE-2023-27265 Exposure of Resource to Wrong Sphere vulnerability in Mattermost Server
Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the "Regenerate Invite Id" API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response.
network
low complexity
mattermost CWE-668
2.7
2023-02-27 CVE-2023-27266 Information Exposure vulnerability in Mattermost Server
Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the /api/v4/users/me/teams API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response.
network
low complexity
mattermost CWE-200
2.7