Vulnerabilities > Mattermost > Low
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-10-28 | CVE-2024-10214 | Unspecified vulnerability in Mattermost Mattermost versions 9.11.X <= 9.11.1, 9.5.x <= 9.5.9 icorrectly issues two sessions when using desktop SSO - one in the browser and one in desktop with incorrect settings. | 3.5 |
| 2024-08-22 | CVE-2024-40884 | Unspecified vulnerability in Mattermost Server Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to properly enforce permissions which allows a team admin user without "Add Team Members" permission to disable the invite URL. | 2.7 |
| 2024-08-22 | CVE-2024-32939 | Cleartext Storage of Sensitive Information vulnerability in Mattermost Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2, when shared channels are enabled, fail to redact remote users' original email addresses stored in user props when email addresses are otherwise configured not to be visible in the local server." | 3.7 |
| 2024-07-03 | CVE-2024-39353 | Unspecified vulnerability in Mattermost Mattermost versions 9.5.x <= 9.5.5 and 9.8.0 fail to sanitize the RemoteClusterFrame payloads before audit logging them which allows a high privileged attacker with access to the audit logs to read message contents. | 2.7 |
| 2024-06-14 | CVE-2024-36287 | Unspecified vulnerability in Mattermost Desktop Mattermost Desktop App versions <=5.7.0 fail to disable certain Electron debug flags which allows for bypassing TCC restrictions on macOS. | 3.3 |
| 2024-04-05 | CVE-2024-29221 | Unspecified vulnerability in Mattermost Server Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the `/api/v4/users/me/teams` endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users, even if the "Add Members" permission was explicitly removed from team admins. | 3.8 |
| 2024-04-05 | CVE-2024-21848 | Improper Check for Dropped Privileges vulnerability in Mattermost Server Improper Access Control in Mattermost Server versions 8.1.x before 8.1.11 allows an attacker that is in a channel with an active call to keep participating in the call even if they are removed from the channel | 3.1 |
| 2024-02-29 | CVE-2024-1949 | Race Condition vulnerability in Mattermost Server A race condition in Mattermost versions 8.1.x before 8.1.9, and 9.4.x before 9.4.2 allows an authenticated attacker to gain unauthorized access to individual posts' contents via carefully timed post creation while another user deletes posts. | 2.6 |
| 2024-02-09 | CVE-2024-23319 | Cross-Site Request Forgery (CSRF) vulnerability in Mattermost Server Mattermost Jira Plugin fails to protect against logout CSRF allowing an attacker to post a specially crafted message that would disconnect a user's Jira connection in Mattermost only by viewing the message. | 3.5 |
| 2023-11-02 | CVE-2023-5920 | Unspecified vulnerability in Mattermost Desktop Mattermost Desktop for MacOS fails to utilize the secure keyboard input functionality provided by macOS, allowing for other processes to read the keyboard input. | 3.3 |