Vulnerabilities > Mattermost > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-11-27 | CVE-2023-40703 | Resource Exhaustion vulnerability in Mattermost Mattermost fails to properly limit the characters allowed in different fields of a block in Mattermost Boards allowing a attacker to consume excessive resources, possibly leading to Denial of Service, by patching the field of a block using a specially crafted string. | 7.5 |
| 2023-11-27 | CVE-2023-48268 | Resource Exhaustion vulnerability in Mattermost Mattermost fails to limit the amount of data extracted from compressed archives during board import in Mattermost Boards allowing an attacker to consume excessive resources, possibly leading to Denial of Service, by importing a board using a specially crafted zip (zip bomb). | 7.5 |
| 2023-10-09 | CVE-2023-5330 | Allocation of Resources Without Limits or Throttling vulnerability in Mattermost Server Mattermost fails to enforce a limit for the size of the cache entry for OpenGraph data allowing an attacker to send a specially crafted request to the /api/v4/opengraph filling the cache and turning the server unavailable. | 7.5 |
| 2023-08-25 | CVE-2023-4478 | Injection vulnerability in Mattermost Server Mattermost fails to restrict which parameters' values it takes from the request during signup allowing an attacker to register users as inactive, thus blocking them from later accessing Mattermost without the system admin activating their accounts. | 8.2 |
| 2023-08-11 | CVE-2023-4108 | Information Exposure Through Log Files vulnerability in Mattermost Mattermost fails to sanitize post metadata during audit logging resulting in permalinks contents being logged | 7.5 |
| 2023-07-17 | CVE-2023-3581 | Origin Validation Error vulnerability in Mattermost Server Mattermost fails to properly validate the origin of a websocket connection allowing a MITM attacker on Mattermost to access the websocket APIs. | 8.1 |
| 2023-07-17 | CVE-2023-3590 | Incorrect Authorization vulnerability in Mattermost Server 7.10.0/7.10.1/7.10.2 Mattermost fails to delete card attachments in Boards, allowing an attacker to access deleted attachments. | 7.5 |
| 2023-07-17 | CVE-2023-3591 | Improper Authentication vulnerability in Mattermost Server Mattermost fails to invalidate previously generated password reset tokens when a new reset token was created. | 8.2 |
| 2023-07-17 | CVE-2023-3615 | Improper Certificate Validation vulnerability in Mattermost Mattermost iOS app fails to properly validate the server certificate while initializing the TLS connection allowing a network attacker to intercept the WebSockets connection. | 8.1 |
| 2023-05-12 | CVE-2023-2514 | Information Exposure Through Log Files vulnerability in Mattermost Mattermost Sever fails to redact the DB username and password before emitting an application log during server initialization. | 7.5 |