Vulnerabilities > Mattermost > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-07-03 | CVE-2024-39361 | Unspecified vulnerability in Mattermost Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and 9.5.x <= 9.5.5 fail to prevent users from specifying a RemoteId for their posts which allows an attacker to specify both a remoteId and the post ID, resulting in creating a post with a user-defined post ID. | 5.4 |
| 2024-07-03 | CVE-2024-39807 | Unspecified vulnerability in Mattermost Mattermost versions 9.5.x <= 9.5.5 and 9.8.0 fail to properly sanitize the recipients of a webhook event which allows an attacker monitoring webhook events to retrieve the channel IDs of archived or restored channels. | 5.3 |
| 2024-07-03 | CVE-2024-39830 | Information Exposure Through Discrepancy vulnerability in Mattermost Mattermost versions 9.8.x <= 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and 9.5.x <= 9.5.5, when shared channels are enabled, fail to use constant time comparison for remote cluster tokens which allows an attacker to retrieve the remote cluster token via a timing attack during remote cluster token comparison. | 5.9 |
| 2024-07-03 | CVE-2024-6428 | Unspecified vulnerability in Mattermost Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2, 9.5.x <= 9.5.5 fail to prevent specifying a RemoteId when creating a new user which allows an attacker to specify both a remoteId and the user ID, resulting in creating a user with a user-defined user ID. | 6.5 |
| 2024-06-14 | CVE-2024-37182 | Unspecified vulnerability in Mattermost Desktop Mattermost Desktop App versions <=5.7.0 fail to correctly prompt for permission when opening external URLs which allows a remote attacker to force a victim over the Internet to run arbitrary programs on the victim's system via custom URI schemes. | 6.1 |
| 2024-04-26 | CVE-2024-22091 | Allocation of Resources Without Limits or Throttling vulnerability in Mattermost Server Mattermost versions 8.1.x <= 8.1.10, 9.6.x <= 9.6.0, 9.5.x <= 9.5.2 and 8.1.x <= 8.1.11 fail to limit the size of a request path that includes user inputs which allows an attacker to cause excessive resource consumption, possibly leading to a DoS via sending large request paths | 6.5 |
| 2024-04-26 | CVE-2024-32046 | Information Exposure Through an Error Message vulnerability in Mattermost Server Mattermost versions 9.6.x <= 9.6.0, 9.5.x <= 9.5.2, 9.4.x <= 9.4.4 and 8.1.x <= 8.1.11 fail to remove detailed error messages in API requests even if the developer mode is off which allows an attacker to get information about the server such as the full path were files are stored | 4.3 |
| 2024-04-26 | CVE-2024-4182 | Improper Check for Unusual or Exceptional Conditions vulnerability in Mattermost Server Mattermost versions 9.6.0, 9.5.x before 9.5.3, 9.4.x before 9.4.5, and 8.1.x before 8.1.12 fail to handle JSON parsing errors in custom status values, which allows an authenticated attacker to crash other users' web clients via a malformed custom status. | 4.3 |
| 2024-04-26 | CVE-2024-4183 | Allocation of Resources Without Limits or Throttling vulnerability in Mattermost Server Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active sessions, which allows an authenticated attacker to crash the server via repeated requests to the getSessions API after flooding the sessions table. | 6.5 |
| 2024-04-16 | CVE-2024-3872 | Unspecified vulnerability in Mattermost Mobile Mattermost Mobile app versions 2.13.0 and earlier use a regular expression with polynomial complexity to parse certain deeplinks, which allows an unauthenticated remote attacker to freeze or crash the app via a long maliciously crafted link. | 6.5 |