Vulnerabilities > Mattermost > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-09-26 | CVE-2024-47145 | Unspecified vulnerability in Mattermost Server Mattermost versions 9.5.x <= 9.5.8 fail to properly authorize access to archived channels when viewing archived channels is disabled, which allows an attacker to view posts and files of archived channels via file links. | 4.3 |
| 2024-09-16 | CVE-2024-39772 | Unspecified vulnerability in Mattermost Desktop Mattermost Desktop App versions <=5.8.0 fail to safeguard screen capture functionality which allows an attacker to silently capture high-quality screenshots via JavaScript APIs. | 5.3 |
| 2024-09-16 | CVE-2024-45835 | Unspecified vulnerability in Mattermost Desktop Mattermost Desktop App versions <=5.8.0 fail to sufficiently configure Electron Fuses which allows an attacker to gather Chromium cookies or abuse other misconfigurations via remote/local access. | 6.5 |
| 2024-09-16 | CVE-2024-45833 | Unspecified vulnerability in Mattermost Mobile 1.26.0/1.29.0/1.30.0 Mattermost Mobile Apps versions <=2.18.0 fail to disable autocomplete during login while typing the password and visible password is selected, which allows the password to get saved in the dictionary when the user has Swiftkey as the default keyboard, the masking is off and the password contains a special character.. | 6.5 |
| 2024-08-22 | CVE-2024-42497 | Unspecified vulnerability in Mattermost Server Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to properly enforce permissions which allows a user with systems manager role with read-only access to teams to perform write operations on teams. | 4.9 |
| 2024-08-22 | CVE-2024-43780 | Unspecified vulnerability in Mattermost Server Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.0, 9.8.x <= 9.8.2 fail to enforce permissions which allows a guest user with read access to upload files to a channel. | 4.3 |
| 2024-08-22 | CVE-2024-39810 | Unspecified vulnerability in Mattermost Mattermost versions 9.5.x <= 9.5.7 and 9.10.x <= 9.10.0 fail to time limit and size limit the CA path file in the ElasticSearch configuration which allows a System Role with access to the Elasticsearch system console to add any file as a CA path field, such as /dev/zero and, after testing the connection, cause the application to crash. | 4.9 |
| 2024-08-22 | CVE-2024-39836 | Unspecified vulnerability in Mattermost Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to ensure that remote/synthetic users cannot create sessions or reset passwords, which allows the munged email addresses, created by shared channels, to be used to receive email notifications and to reset passwords, when they are valid, functional emails. | 6.5 |
| 2024-08-22 | CVE-2024-42411 | Improper Check for Unusual or Exceptional Conditions vulnerability in Mattermost Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to restrict the input in POST /api/v4/users which allows a user to manipulate the creation date in POST /api/v4/users tricking the admin into believing their account is much older. | 5.3 |
| 2024-08-22 | CVE-2024-43813 | Unspecified vulnerability in Mattermost Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to enforce proper access controls which allows any authenticated user, including guests, to mark any channel inside any team as read for any user. | 4.3 |