Vulnerabilities > Mattermost

DATE CVE VULNERABILITY TITLE RISK
2022-04-13 CVE-2022-1333 Allocation of Resources Without Limits or Throttling vulnerability in Mattermost Playbooks
Mattermost Playbooks plugin v1.24.0 and earlier fails to properly check the limit on the number of webhooks, which allows authenticated and authorized users to create a specifically drafted Playbook which could trigger a large amount of webhook requests leading to Denial of Service.
network
low complexity
mattermost CWE-770
6.5
2022-04-13 CVE-2022-1337 Allocation of Resources Without Limits or Throttling vulnerability in Mattermost Server
The image proxy component in Mattermost version 6.4.1 and earlier allocates memory for multiple copies of a proxied image, which allows an authenticated attacker to crash the server via links to very large image files.
network
low complexity
mattermost CWE-770
6.5
2022-03-18 CVE-2022-1002 Cross-site Scripting vulnerability in Mattermost
Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, which allows registered users with special permissions to invite guest users to inject unescaped HTML content in the email invitations.
network
low complexity
mattermost CWE-79
5.4
2022-03-18 CVE-2022-1003 Improper Privilege Management vulnerability in Mattermost
One of the API in Mattermost version 6.3.0 and earlier fails to properly protect the permissions, which allows the system administrators to combine the two distinct privileges/capabilities in a way that allows them to override certain restricted configurations like EnableUploads.
network
low complexity
mattermost CWE-269
4.9
2022-03-10 CVE-2022-0903 Out-of-bounds Write vulnerability in Mattermost Server
A call stack overflow bug in the SAML login feature in Mattermost server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted POST body.
network
low complexity
mattermost CWE-787
7.5
2022-03-10 CVE-2022-0904 Out-of-bounds Write vulnerability in Mattermost Server
A stack overflow bug in the document extractor in Mattermost Server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted Apple Pages document.
network
low complexity
mattermost CWE-787
6.5
2022-02-21 CVE-2022-0708 Information Exposure vulnerability in Mattermost
Mattermost 6.3.0 and earlier fails to protect email addresses of the creator of the team via one of the APIs, which allows authenticated team members to access this information resulting in sensitive & private information disclosure.
network
low complexity
mattermost CWE-200
6.5
2022-01-18 CVE-2021-37864 Incorrect Authorization vulnerability in Mattermost
Mattermost 6.1 and earlier fails to sufficiently validate permissions while viewing archived channels, which allows authenticated users to view contents of archived channels even when this is denied by system administrators by directly accessing the APIs.
network
low complexity
mattermost CWE-863
6.5
2022-01-18 CVE-2021-37865 Resource Exhaustion vulnerability in Mattermost
Mattermost 6.2 and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which allows authenticated users to cause resource exhaustion while processing the file, resulting in server-side Denial of Service.
network
low complexity
mattermost CWE-400
5.7
2022-01-18 CVE-2021-37866 Insufficient Session Expiration vulnerability in Mattermost Boards 0.10.0
Mattermost Boards plugin v0.10.0 and earlier fails to invalidate a session on the server-side when a user logged out of Boards, which allows an attacker to reuse old session token for authorization.
network
low complexity
mattermost CWE-613
7.5