Vulnerabilities > Mattermost
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-12-29 | CVE-2023-7113 | Cross-site Scripting vulnerability in Mattermost Server Mattermost version 8.1.6 and earlier fails to sanitize channel mention data in posts, which allows an attacker to inject markup in the web client. | 6.1 |
| 2023-12-29 | CVE-2023-7114 | Path Traversal vulnerability in Mattermost Mattermost version 2.10.0 and earlier fails to sanitize deeplink paths, which allows an attacker to perform CSRF attacks against the server. | 8.8 |
| 2023-12-12 | CVE-2023-6727 | Unspecified vulnerability in Mattermost Server Mattermost fails to perform correct authorization checks when creating a playbook action, allowing users without access to the playbook to create playbook actions. | 4.3 |
| 2023-12-12 | CVE-2023-45316 | Path Traversal vulnerability in Mattermost Server Mattermost fails to validate if a relative path is passed in /plugins/playbooks/api/v0/telemetry/run/<telem_run_id> as a telemetry run ID, allowing an attacker to use a path traversal payload that points to a different endpoint leading to a CSRF attack. | 8.8 |
| 2023-12-12 | CVE-2023-45847 | Resource Exhaustion vulnerability in Mattermost Server Mattermost fails to to check the length when setting the title in a run checklist in Playbooks, allowing an attacker to send a specially crafted request and crash the Playbooks plugin | 7.5 |
| 2023-12-12 | CVE-2023-46701 | Authorization Bypass Through User-Controlled Key vulnerability in Mattermost Server Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plugin allowing an attacker to get limited information about a post if they know the post ID | 5.3 |
| 2023-12-12 | CVE-2023-49607 | Improper Check for Unusual or Exceptional Conditions vulnerability in Mattermost Server Mattermost fails to validate the type of the "reminder" body request parameter allowing an attacker to crash the Playbook Plugin when updating the status dialog. | 7.5 |
| 2023-12-12 | CVE-2023-49809 | Resource Exhaustion vulnerability in Mattermost Server Mattermost fails to handle a null request body in the /add endpoint, allowing a simple member to send a request with null request body to that endpoint and make it crash. | 6.5 |
| 2023-12-12 | CVE-2023-49874 | Unspecified vulnerability in Mattermost Server Mattermost fails to check whether a user is a guest when updating the tasks of a private playbook run allowing a guest to update the tasks of a private playbook run if they know the run ID. | 4.3 |
| 2023-12-12 | CVE-2023-6547 | Unspecified vulnerability in Mattermost Server Mattermost fails to validate team membership when a user attempts to access a playbook, allowing a user with permissions to a playbook but no permissions to the team the playbook is on to access and modify the playbook. | 5.4 |