Vulnerabilities > Mattermost > Mattermost Server > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-08-01 | CVE-2024-41144 | Unspecified vulnerability in Mattermost Server Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to properly validate synced posts, when shared channels are enabled, which allows a malicious remote to create/update/delete arbitrary posts in arbitrary channels | 7.1 |
| 2024-03-15 | CVE-2024-2450 | Missing Authentication for Critical Function vulnerability in Mattermost Server Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to correctly verify account ownership when switching from email to SAML authentication, allowing an authenticated attacker to take over other user accounts via a crafted switch request under specific conditions. | 8.8 |
| 2023-12-12 | CVE-2023-45316 | Path Traversal vulnerability in Mattermost Server Mattermost fails to validate if a relative path is passed in /plugins/playbooks/api/v0/telemetry/run/<telem_run_id> as a telemetry run ID, allowing an attacker to use a path traversal payload that points to a different endpoint leading to a CSRF attack. | 8.8 |
| 2023-12-12 | CVE-2023-45847 | Resource Exhaustion vulnerability in Mattermost Server Mattermost fails to to check the length when setting the title in a run checklist in Playbooks, allowing an attacker to send a specially crafted request and crash the Playbooks plugin | 7.5 |
| 2023-12-12 | CVE-2023-49607 | Improper Check for Unusual or Exceptional Conditions vulnerability in Mattermost Server Mattermost fails to validate the type of the "reminder" body request parameter allowing an attacker to crash the Playbook Plugin when updating the status dialog. | 7.5 |
| 2023-10-09 | CVE-2023-5330 | Allocation of Resources Without Limits or Throttling vulnerability in Mattermost Server Mattermost fails to enforce a limit for the size of the cache entry for OpenGraph data allowing an attacker to send a specially crafted request to the /api/v4/opengraph filling the cache and turning the server unavailable. | 7.5 |
| 2023-08-25 | CVE-2023-4478 | Injection vulnerability in Mattermost Server Mattermost fails to restrict which parameters' values it takes from the request during signup allowing an attacker to register users as inactive, thus blocking them from later accessing Mattermost without the system admin activating their accounts. | 8.2 |
| 2023-07-17 | CVE-2023-3581 | Origin Validation Error vulnerability in Mattermost Server Mattermost fails to properly validate the origin of a websocket connection allowing a MITM attacker on Mattermost to access the websocket APIs. | 8.1 |
| 2023-07-17 | CVE-2023-3590 | Incorrect Authorization vulnerability in Mattermost Server 7.10.0/7.10.1/7.10.2 Mattermost fails to delete card attachments in Boards, allowing an attacker to access deleted attachments. | 7.5 |
| 2023-07-17 | CVE-2023-3591 | Improper Authentication vulnerability in Mattermost Server Mattermost fails to invalidate previously generated password reset tokens when a new reset token was created. | 8.2 |