Vulnerabilities > Mattermost > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-06-16 | CVE-2023-2788 | Insufficient Session Expiration vulnerability in Mattermost Mattermost fails to check if an admin user account active after an oauth2 flow is started, allowing an attacker with admin privileges to retain persistent access to Mattermost by obtaining an oauth2 access token while the attacker's account is deactivated. | 6.5 |
| 2023-06-16 | CVE-2023-2791 | Missing Authorization vulnerability in Mattermost When creating a playbook run via the /dialog API, Mattermost fails to validate all parameters, allowing an authenticated attacker to edit an arbitrary channel post. | 4.3 |
| 2023-05-29 | CVE-2023-2808 | Unspecified vulnerability in Mattermost Mattermost fails to normalize UTF confusable characters when determining if a preview should be generated for a hyperlink, allowing an attacker to trigger link preview on a disallowed domain using a specially crafted link. | 5.3 |
| 2023-05-02 | CVE-2023-2000 | Open Redirect vulnerability in Mattermost Desktop Mattermost Desktop App fails to validate a mattermost server redirection and navigates to an arbitrary website | 5.4 |
| 2023-04-25 | CVE-2023-2281 | Unspecified vulnerability in Mattermost Server When archiving a team, Mattermost fails to sanitize the related Websocket event sent to currently connected clients. | 4.3 |
| 2023-03-31 | CVE-2023-1774 | Missing Authorization vulnerability in Mattermost Server When processing an email invite to a private channel on a team, Mattermost fails to validate the inviter's permission to that channel, allowing an attacker to invite themselves to a private channel. | 5.4 |
| 2023-03-31 | CVE-2023-1775 | Exposure of Resource to Wrong Sphere vulnerability in Mattermost Server When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients. | 6.5 |
| 2023-03-31 | CVE-2023-1776 | Cross-site Scripting vulnerability in Mattermost Server Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file. | 5.4 |
| 2023-03-31 | CVE-2023-1777 | Exposure of Resource to Wrong Sphere vulnerability in Mattermost Server Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message. | 5.3 |
| 2023-03-22 | CVE-2023-1562 | Exposure of Resource to Wrong Sphere vulnerability in Mattermost Mattermost fails to check the "Show Full Name" setting when rendering the result for the /plugins/focalboard/api/v2/users API call, allowing an attacker to learn the full name of a board owner. | 4.3 |