Vulnerabilities > Mattermost

DATE CVE VULNERABILITY TITLE RISK
2022-03-18 CVE-2022-1002 Cross-site Scripting vulnerability in Mattermost
Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, which allows registered users with special permissions to invite guest users to inject unescaped HTML content in the email invitations.
network
low complexity
mattermost CWE-79
5.4
2022-03-18 CVE-2022-1003 Improper Privilege Management vulnerability in Mattermost
One of the API in Mattermost version 6.3.0 and earlier fails to properly protect the permissions, which allows the system administrators to combine the two distinct privileges/capabilities in a way that allows them to override certain restricted configurations like EnableUploads.
network
low complexity
mattermost CWE-269
4.9
2022-03-10 CVE-2022-0903 Out-of-bounds Write vulnerability in Mattermost Server
A call stack overflow bug in the SAML login feature in Mattermost server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted POST body.
network
low complexity
mattermost CWE-787
7.5
2022-03-10 CVE-2022-0904 Out-of-bounds Write vulnerability in Mattermost Server
A stack overflow bug in the document extractor in Mattermost Server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted Apple Pages document.
network
low complexity
mattermost CWE-787
6.5
2022-02-21 CVE-2022-0708 Information Exposure vulnerability in Mattermost
Mattermost 6.3.0 and earlier fails to protect email addresses of the creator of the team via one of the APIs, which allows authenticated team members to access this information resulting in sensitive & private information disclosure.
network
low complexity
mattermost CWE-200
6.5
2022-01-18 CVE-2021-37864 Incorrect Authorization vulnerability in Mattermost
Mattermost 6.1 and earlier fails to sufficiently validate permissions while viewing archived channels, which allows authenticated users to view contents of archived channels even when this is denied by system administrators by directly accessing the APIs.
network
low complexity
mattermost CWE-863
6.5
2022-01-18 CVE-2021-37865 Resource Exhaustion vulnerability in Mattermost
Mattermost 6.2 and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which allows authenticated users to cause resource exhaustion while processing the file, resulting in server-side Denial of Service.
network
low complexity
mattermost CWE-400
5.7
2022-01-18 CVE-2021-37866 Insufficient Session Expiration vulnerability in Mattermost Boards 0.10.0
Mattermost Boards plugin v0.10.0 and earlier fails to invalidate a session on the server-side when a user logged out of Boards, which allows an attacker to reuse old session token for authorization.
network
low complexity
mattermost CWE-613
7.5
2022-01-18 CVE-2021-37867 Information Exposure vulnerability in Mattermost Boards 0.10.0
Mattermost Boards plugin v0.10.0 and earlier fails to protect email addresses of all users via one of the Boards APIs, which allows authenticated and unauthorized users to access this information resulting in sensitive & private information disclosure.
network
low complexity
mattermost CWE-200
4.3
2021-12-17 CVE-2021-37862 Improper Check for Unusual or Exceptional Conditions vulnerability in Mattermost Server
Mattermost 6.0 and earlier fails to sufficiently validate the email address during registration, which allows attackers to trick users into signing up using attacker-controlled email addresses via crafted invitation token.
network
low complexity
mattermost CWE-754
5.4