Vulnerabilities > Mattermost > Mattermost
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-08-11 | CVE-2023-4105 | Missing Authorization vulnerability in Mattermost Mattermost fails to delete the attachments when deleting a message in a thread allowing a simple user to still be able to access and download the attachment of a deleted message | 4.3 |
| 2023-08-11 | CVE-2023-4106 | Missing Authorization vulnerability in Mattermost Mattermost fails to check if the requesting user is a guest before performing different actions to public playbooks, resulting a guest being able to view, join, edit, export and archive public playbooks. | 6.5 |
| 2023-08-11 | CVE-2023-4107 | Incorrect Authorization vulnerability in Mattermost Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin's details such as email, first name and last name. | 6.5 |
| 2023-08-11 | CVE-2023-4108 | Information Exposure Through Log Files vulnerability in Mattermost Mattermost fails to sanitize post metadata during audit logging resulting in permalinks contents being logged | 7.5 |
| 2023-07-17 | CVE-2023-3615 | Improper Certificate Validation vulnerability in Mattermost Mattermost iOS app fails to properly validate the server certificate while initializing the TLS connection allowing a network attacker to intercept the WebSockets connection. | 8.1 |
| 2023-06-16 | CVE-2023-2785 | Resource Exhaustion vulnerability in Mattermost Mattermost fails to properly truncate the postgres error log message of a search query failure allowing an attacker to cause the creation of large log files which can result in Denial of Service | 4.3 |
| 2023-06-16 | CVE-2023-2792 | Unspecified vulnerability in Mattermost Mattermost fails to sanitize ephemeral error messages, allowing an attacker to obtain arbitrary message contents by a specially crafted /groupmsg command. | 6.5 |
| 2023-06-16 | CVE-2023-2793 | Resource Exhaustion vulnerability in Mattermost Mattermost fails to validate links on external websites when constructing a preview for a linked website, allowing an attacker to cause a denial-of-service by a linking to a specially crafted webpage in a message. | 6.5 |
| 2023-06-16 | CVE-2023-2797 | Injection vulnerability in Mattermost Mattermost fails to sanitize code permalinks, allowing an attacker to preview code from private repositories by posting a specially crafted permalink on a channel. | 6.5 |
| 2023-06-16 | CVE-2023-2831 | Resource Exhaustion vulnerability in Mattermost Mattermost fails to unescape Markdown strings in a memory-efficient way, allowing an attacker to cause a Denial of Service by sending a message containing a large number of escaped characters. | 6.5 |