Vulnerabilities > Mattermost > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-04-13 | CVE-2022-1337 | Allocation of Resources Without Limits or Throttling vulnerability in Mattermost Server The image proxy component in Mattermost version 6.4.1 and earlier allocates memory for multiple copies of a proxied image, which allows an authenticated attacker to crash the server via links to very large image files. | 6.5 |
| 2022-03-18 | CVE-2022-1002 | Cross-site Scripting vulnerability in Mattermost Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, which allows registered users with special permissions to invite guest users to inject unescaped HTML content in the email invitations. | 5.4 |
| 2022-03-18 | CVE-2022-1003 | Improper Privilege Management vulnerability in Mattermost One of the API in Mattermost version 6.3.0 and earlier fails to properly protect the permissions, which allows the system administrators to combine the two distinct privileges/capabilities in a way that allows them to override certain restricted configurations like EnableUploads. | 4.9 |
| 2022-03-10 | CVE-2022-0904 | Out-of-bounds Write vulnerability in Mattermost Server A stack overflow bug in the document extractor in Mattermost Server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted Apple Pages document. | 6.5 |
| 2022-02-21 | CVE-2022-0708 | Information Exposure vulnerability in Mattermost Mattermost 6.3.0 and earlier fails to protect email addresses of the creator of the team via one of the APIs, which allows authenticated team members to access this information resulting in sensitive & private information disclosure. | 6.5 |
| 2022-01-18 | CVE-2021-37864 | Incorrect Authorization vulnerability in Mattermost Mattermost 6.1 and earlier fails to sufficiently validate permissions while viewing archived channels, which allows authenticated users to view contents of archived channels even when this is denied by system administrators by directly accessing the APIs. | 6.5 |
| 2022-01-18 | CVE-2021-37865 | Resource Exhaustion vulnerability in Mattermost Mattermost 6.2 and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which allows authenticated users to cause resource exhaustion while processing the file, resulting in server-side Denial of Service. | 5.7 |
| 2022-01-18 | CVE-2021-37867 | Information Exposure vulnerability in Mattermost Boards 0.10.0 Mattermost Boards plugin v0.10.0 and earlier fails to protect email addresses of all users via one of the Boards APIs, which allows authenticated and unauthorized users to access this information resulting in sensitive & private information disclosure. | 4.3 |
| 2021-12-17 | CVE-2021-37862 | Improper Check for Unusual or Exceptional Conditions vulnerability in Mattermost Server Mattermost 6.0 and earlier fails to sufficiently validate the email address during registration, which allows attackers to trick users into signing up using attacker-controlled email addresses via crafted invitation token. | 5.4 |
| 2021-12-17 | CVE-2021-37863 | Improper Input Validation vulnerability in Mattermost Server Mattermost 6.0 and earlier fails to sufficiently validate parameters during post creation, which allows authenticated attackers to cause a client-side crash of the web application via a maliciously crafted post. | 5.7 |