Vulnerabilities > Mattermost > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-03-31 | CVE-2023-1775 | Exposure of Resource to Wrong Sphere vulnerability in Mattermost Server When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients. | 6.5 |
| 2023-03-31 | CVE-2023-1776 | Cross-site Scripting vulnerability in Mattermost Server Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file. | 5.4 |
| 2023-03-31 | CVE-2023-1777 | Exposure of Resource to Wrong Sphere vulnerability in Mattermost Server Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message. | 5.3 |
| 2023-03-22 | CVE-2023-1562 | Exposure of Resource to Wrong Sphere vulnerability in Mattermost Mattermost fails to check the "Show Full Name" setting when rendering the result for the /plugins/focalboard/api/v2/users API call, allowing an attacker to learn the full name of a board owner. | 4.3 |
| 2023-03-15 | CVE-2023-1421 | Cross-site Scripting vulnerability in Mattermost Server A reflected cross-site scripting vulnerability in the OAuth flow completion endpoints in Mattermost allows an attacker to send AJAX requests on behalf of the victim via sharing a crafted link with a malicious state parameter. | 6.1 |
| 2023-02-27 | CVE-2023-27263 | Missing Authorization vulnerability in Mattermost A missing permissions check in the /plugins/playbooks/api/v0/runs API in Mattermost allows an attacker to list and view playbooks belonging to a team they are not a member of. | 6.5 |
| 2023-02-27 | CVE-2023-27264 | Missing Authorization vulnerability in Mattermost A missing permissions check in Mattermost Playbooks in Mattermost allows an attacker to modify a playbook via the /plugins/playbooks/api/v0/playbooks/[playbookID] API. | 6.5 |
| 2022-11-23 | CVE-2022-4045 | Allocation of Resources Without Limits or Throttling vulnerability in Mattermost A denial-of-service vulnerability in the Mattermost allows an authenticated user to crash the server via multiple requests to one of the API endpoints which could fetch a large amount of data. | 6.5 |
| 2022-11-23 | CVE-2022-4019 | Allocation of Resources Without Limits or Throttling vulnerability in Mattermost A denial-of-service vulnerability in the Mattermost Playbooks plugin allows an authenticated user to crash the server via multiple large requests to one of the Playbooks API endpoints. | 6.5 |
| 2022-11-23 | CVE-2022-4044 | Allocation of Resources Without Limits or Throttling vulnerability in Mattermost A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large autoresponder messages. | 6.5 |