Vulnerabilities > Mattermost > Mattermost Server > Medium

DATE CVE VULNERABILITY TITLE RISK
2023-10-09 CVE-2023-5331 Missing Authorization vulnerability in Mattermost Server
Mattermost fails to properly check the creator of an attached file when adding the file to a draft post, potentially exposing unauthorized file information.
network
low complexity
mattermost CWE-862
5.3
2023-10-09 CVE-2023-5333 Unspecified vulnerability in Mattermost Server
Mattermost fails to deduplicate input IDs allowing a simple user to cause the application to consume excessive resources and possibly crash by sending a specially crafted request to /api/v4/users/ids with multiple identical IDs.
network
low complexity
mattermost
6.5
2023-07-17 CVE-2023-3577 Server-Side Request Forgery (SSRF) vulnerability in Mattermost Server
Mattermost fails to properly restrict requests to localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited blind SSRF.
network
low complexity
mattermost CWE-918
4.3
2023-07-17 CVE-2023-3582 Incorrect Authorization vulnerability in Mattermost Server
Mattermost fails to verify channel membership when linking a board to a channel allowing a low-privileged authenticated user to link a Board to a private channel they don't have access to, 
network
low complexity
mattermost CWE-863
4.3
2023-07-17 CVE-2023-3585 Resource Exhaustion vulnerability in Mattermost Server
Mattermost Boards fail to properly validate a board link, allowing an attacker to crash a channel by posting a specially crafted boards link.
network
low complexity
mattermost CWE-400
4.3
2023-07-17 CVE-2023-3586 Incorrect Authorization vulnerability in Mattermost Server
Mattermost fails to disable public Boards after the "Enable Publicly-Shared Boards" configuration option is disabled, resulting in previously-shared public Boards to remain accessible.
network
low complexity
mattermost CWE-863
5.4
2023-07-17 CVE-2023-3593 Unspecified vulnerability in Mattermost Server
Mattermost fails to properly validate markdown, allowing an attacker to crash the server via a specially crafted markdown input.
network
low complexity
mattermost
6.5
2023-04-25 CVE-2023-2281 Unspecified vulnerability in Mattermost Server
When archiving a team, Mattermost fails to sanitize the related Websocket event sent to currently connected clients.
network
low complexity
mattermost
4.3
2023-03-31 CVE-2023-1774 Missing Authorization vulnerability in Mattermost Server
When processing an email invite to a private channel on a team, Mattermost fails to validate the inviter's permission to that channel, allowing an attacker to invite themselves to a private channel.
network
low complexity
mattermost CWE-862
5.4
2023-03-31 CVE-2023-1775 Exposure of Resource to Wrong Sphere vulnerability in Mattermost Server
When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients.
network
low complexity
mattermost CWE-668
6.5