Vulnerabilities > Mattermost > Mattermost Server > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-01-02 | CVE-2023-47858 | Unspecified vulnerability in Mattermost Server Mattermost fails to properly verify the permissions needed for viewing archived public channels, allowing a member of one team to get details about the archived public channels of another team via the GET /api/v4/teams/<team-id>/channels/deleted endpoint. | 4.3 |
| 2024-01-02 | CVE-2023-48732 | Unspecified vulnerability in Mattermost Server Mattermost fails to scope the WebSocket response around notified users to a each user separately resulting in the WebSocket broadcasting the information about who was notified about a post to everyone else in the channel. | 4.3 |
| 2024-01-02 | CVE-2023-50333 | Unspecified vulnerability in Mattermost Server Mattermost fails to update the permissions of the current session for a user who was just demoted to guest, allowing freshly demoted guests to change group names. | 4.3 |
| 2023-12-29 | CVE-2023-7113 | Cross-site Scripting vulnerability in Mattermost Server Mattermost version 8.1.6 and earlier fails to sanitize channel mention data in posts, which allows an attacker to inject markup in the web client. | 6.1 |
| 2023-12-12 | CVE-2023-6727 | Unspecified vulnerability in Mattermost Server Mattermost fails to perform correct authorization checks when creating a playbook action, allowing users without access to the playbook to create playbook actions. | 4.3 |
| 2023-12-12 | CVE-2023-46701 | Authorization Bypass Through User-Controlled Key vulnerability in Mattermost Server Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plugin allowing an attacker to get limited information about a post if they know the post ID | 5.3 |
| 2023-12-12 | CVE-2023-49809 | Resource Exhaustion vulnerability in Mattermost Server Mattermost fails to handle a null request body in the /add endpoint, allowing a simple member to send a request with null request body to that endpoint and make it crash. | 6.5 |
| 2023-12-12 | CVE-2023-49874 | Unspecified vulnerability in Mattermost Server Mattermost fails to check whether a user is a guest when updating the tasks of a private playbook run allowing a guest to update the tasks of a private playbook run if they know the run ID. | 4.3 |
| 2023-12-12 | CVE-2023-6547 | Unspecified vulnerability in Mattermost Server Mattermost fails to validate team membership when a user attempts to access a playbook, allowing a user with permissions to a playbook but no permissions to the team the playbook is on to access and modify the playbook. | 5.4 |
| 2023-12-06 | CVE-2023-6459 | Unspecified vulnerability in Mattermost Server Mattermost is grouping calls in the /metrics endpoint by id and reports that id in the response. | 5.3 |