Vulnerabilities > Mattermost > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-09-16 | CVE-2024-39613 | Uncontrolled Search Path Element vulnerability in Mattermost Desktop Mattermost Desktop App versions <=5.8.0 fail to specify an absolute path when searching the cmd.exe file, which allows a local attacker who is able to put an cmd.exe file in the Downloads folder of a user's machine to cause remote code execution on that machine. | 7.8 |
| 2024-08-22 | CVE-2024-40886 | Cross-Site Request Forgery (CSRF) vulnerability in Mattermost Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in User Management page of the system console. | 8.8 |
| 2024-08-22 | CVE-2024-8071 | Unspecified vulnerability in Mattermost Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to restrict which roles can promote a user as system admin which allows a System Role with edit access to the permissions section of system console to update their role (e.g. | 7.2 |
| 2024-08-01 | CVE-2024-39832 | Improper Check for Unusual or Exceptional Conditions vulnerability in Mattermost Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to properly safeguard an error handling which allows a malicious remote to permanently delete local data by abusing dangerous error handling, when share channels were enabled. | 8.7 |
| 2024-08-01 | CVE-2024-41144 | Unspecified vulnerability in Mattermost Server Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to properly validate synced posts, when shared channels are enabled, which allows a malicious remote to create/update/delete arbitrary posts in arbitrary channels | 7.1 |
| 2024-03-15 | CVE-2024-2450 | Missing Authentication for Critical Function vulnerability in Mattermost Server Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to correctly verify account ownership when switching from email to SAML authentication, allowing an authenticated attacker to take over other user accounts via a crafted switch request under specific conditions. | 8.8 |
| 2023-12-29 | CVE-2023-7114 | Path Traversal vulnerability in Mattermost Mattermost version 2.10.0 and earlier fails to sanitize deeplink paths, which allows an attacker to perform CSRF attacks against the server. | 8.8 |
| 2023-12-12 | CVE-2023-45316 | Path Traversal vulnerability in Mattermost Server Mattermost fails to validate if a relative path is passed in /plugins/playbooks/api/v0/telemetry/run/<telem_run_id> as a telemetry run ID, allowing an attacker to use a path traversal payload that points to a different endpoint leading to a CSRF attack. | 8.8 |
| 2023-12-12 | CVE-2023-45847 | Resource Exhaustion vulnerability in Mattermost Server Mattermost fails to to check the length when setting the title in a run checklist in Playbooks, allowing an attacker to send a specially crafted request and crash the Playbooks plugin | 7.5 |
| 2023-12-12 | CVE-2023-49607 | Improper Check for Unusual or Exceptional Conditions vulnerability in Mattermost Server Mattermost fails to validate the type of the "reminder" body request parameter allowing an attacker to crash the Playbook Plugin when updating the status dialog. | 7.5 |