Vulnerabilities > Mattermost > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-07-17 | CVE-2023-3577 | Server-Side Request Forgery (SSRF) vulnerability in Mattermost Server Mattermost fails to properly restrict requests to localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited blind SSRF. | 4.3 |
| 2023-07-17 | CVE-2023-3582 | Incorrect Authorization vulnerability in Mattermost Server Mattermost fails to verify channel membership when linking a board to a channel allowing a low-privileged authenticated user to link a Board to a private channel they don't have access to, | 4.3 |
| 2023-07-17 | CVE-2023-3585 | Resource Exhaustion vulnerability in Mattermost Server Mattermost Boards fail to properly validate a board link, allowing an attacker to crash a channel by posting a specially crafted boards link. | 4.3 |
| 2023-07-17 | CVE-2023-3586 | Incorrect Authorization vulnerability in Mattermost Server Mattermost fails to disable public Boards after the "Enable Publicly-Shared Boards" configuration option is disabled, resulting in previously-shared public Boards to remain accessible. | 5.4 |
| 2023-07-17 | CVE-2023-3593 | Unspecified vulnerability in Mattermost Server Mattermost fails to properly validate markdown, allowing an attacker to crash the server via a specially crafted markdown input. | 6.5 |
| 2023-06-16 | CVE-2023-2785 | Resource Exhaustion vulnerability in Mattermost Mattermost fails to properly truncate the postgres error log message of a search query failure allowing an attacker to cause the creation of large log files which can result in Denial of Service | 4.3 |
| 2023-06-16 | CVE-2023-2792 | Unspecified vulnerability in Mattermost Mattermost fails to sanitize ephemeral error messages, allowing an attacker to obtain arbitrary message contents by a specially crafted /groupmsg command. | 6.5 |
| 2023-06-16 | CVE-2023-2793 | Resource Exhaustion vulnerability in Mattermost Mattermost fails to validate links on external websites when constructing a preview for a linked website, allowing an attacker to cause a denial-of-service by a linking to a specially crafted webpage in a message. | 6.5 |
| 2023-06-16 | CVE-2023-2797 | Injection vulnerability in Mattermost Mattermost fails to sanitize code permalinks, allowing an attacker to preview code from private repositories by posting a specially crafted permalink on a channel. | 6.5 |
| 2023-06-16 | CVE-2023-2831 | Resource Exhaustion vulnerability in Mattermost Mattermost fails to unescape Markdown strings in a memory-efficient way, allowing an attacker to cause a Denial of Service by sending a message containing a large number of escaped characters. | 6.5 |