Vulnerabilities > Mattermost
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-08-11 | CVE-2023-4106 | Missing Authorization vulnerability in Mattermost Mattermost fails to check if the requesting user is a guest before performing different actions to public playbooks, resulting a guest being able to view, join, edit, export and archive public playbooks. | 6.5 |
| 2023-08-11 | CVE-2023-4107 | Incorrect Authorization vulnerability in Mattermost Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin's details such as email, first name and last name. | 6.5 |
| 2023-08-11 | CVE-2023-4108 | Information Exposure Through Log Files vulnerability in Mattermost Mattermost fails to sanitize post metadata during audit logging resulting in permalinks contents being logged | 7.5 |
| 2023-07-17 | CVE-2023-3577 | Server-Side Request Forgery (SSRF) vulnerability in Mattermost Server Mattermost fails to properly restrict requests to localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited blind SSRF. | 4.3 |
| 2023-07-17 | CVE-2023-3581 | Origin Validation Error vulnerability in Mattermost Server Mattermost fails to properly validate the origin of a websocket connection allowing a MITM attacker on Mattermost to access the websocket APIs. | 8.1 |
| 2023-07-17 | CVE-2023-3582 | Incorrect Authorization vulnerability in Mattermost Server Mattermost fails to verify channel membership when linking a board to a channel allowing a low-privileged authenticated user to link a Board to a private channel they don't have access to, | 4.3 |
| 2023-07-17 | CVE-2023-3584 | Incorrect Authorization vulnerability in Mattermost Server Mattermost fails to properly check the authorization of POST /api/v4/teams when passing a team override scheme ID in the request, allowing an authenticated attacker with knowledge of a Team Override Scheme ID to create a new team with said team override scheme. | 3.1 |
| 2023-07-17 | CVE-2023-3585 | Resource Exhaustion vulnerability in Mattermost Server Mattermost Boards fail to properly validate a board link, allowing an attacker to crash a channel by posting a specially crafted boards link. | 4.3 |
| 2023-07-17 | CVE-2023-3586 | Incorrect Authorization vulnerability in Mattermost Server Mattermost fails to disable public Boards after the "Enable Publicly-Shared Boards" configuration option is disabled, resulting in previously-shared public Boards to remain accessible. | 5.4 |
| 2023-07-17 | CVE-2023-3587 | Missing Authorization vulnerability in Mattermost Server Mattermost fails to properly show information in the UI, allowing a system admin to modify a board state allowing any user with a valid sharing link to join the board with editor access, without the UI showing the updated permissions. | 2.7 |