Vulnerabilities > Mattermost > Medium

DATE CVE VULNERABILITY TITLE RISK
2024-07-03 CVE-2024-39361 Unspecified vulnerability in Mattermost
Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and 9.5.x <= 9.5.5 fail to prevent users from specifying a RemoteId for their posts which allows an attacker to specify both a remoteId and the post ID, resulting in creating a post with a user-defined post ID.
network
low complexity
mattermost
5.4
2024-07-03 CVE-2024-39807 Unspecified vulnerability in Mattermost
Mattermost versions 9.5.x <= 9.5.5 and 9.8.0 fail to properly sanitize the recipients of a webhook event which allows an attacker monitoring webhook events to retrieve the channel IDs of archived or restored channels.
network
low complexity
mattermost
5.3
2024-07-03 CVE-2024-39830 Information Exposure Through Discrepancy vulnerability in Mattermost
Mattermost versions 9.8.x <= 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and 9.5.x <= 9.5.5, when shared channels are enabled, fail to use constant time comparison for remote cluster tokens which allows an attacker to retrieve the remote cluster token via a timing attack during remote cluster token comparison.
network
high complexity
mattermost CWE-203
5.9
2024-07-03 CVE-2024-6428 Unspecified vulnerability in Mattermost
Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2, 9.5.x <= 9.5.5 fail to prevent specifying a RemoteId when creating a new user which allows an attacker to specify both a remoteId and the user ID, resulting in creating a user with a user-defined user ID.
network
low complexity
mattermost
6.5
2024-06-14 CVE-2024-37182 Unspecified vulnerability in Mattermost Desktop
Mattermost Desktop App versions <=5.7.0 fail to correctly prompt for permission when opening external URLs which allows a remote attacker to force a victim over the Internet to run arbitrary programs on the victim's system via custom URI schemes.
network
low complexity
mattermost
6.1
2024-04-16 CVE-2024-3872 Unspecified vulnerability in Mattermost Mobile
Mattermost Mobile app versions 2.13.0 and earlier use a regular expression with polynomial complexity to parse certain deeplinks, which allows an unauthenticated remote attacker to freeze or crash the app via a long maliciously crafted link.
network
low complexity
mattermost
6.5
2024-04-05 CVE-2024-28949 Allocation of Resources Without Limits or Throttling vulnerability in Mattermost Server
Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 don't limit the number of user preferences which allows an attacker to send a large number of user preferences potentially causing denial of service.
network
low complexity
mattermost CWE-770
6.5
2024-04-05 CVE-2024-2447 Origin Validation Error vulnerability in Mattermost Server
Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x before 9.4.4, and 9.5.x before 9.5.2 fail to authenticate the source of certain types of post actions, allowing an authenticated attacker to create posts as other users via a crafted post action.
network
low complexity
mattermost CWE-346
6.5
2024-03-15 CVE-2024-2445 Cross-site Scripting vulnerability in Mattermost Server
Mattermost Jira plugin versions shipped with Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to escape user-controlled outputs when generating HTML pages, which allows an attacker to perform reflected cross-site scripting attacks against the users of the Mattermost server.
network
low complexity
mattermost CWE-79
6.1
2024-03-15 CVE-2024-2446 Allocation of Resources Without Limits or Throttling vulnerability in Mattermost Server
Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to limit the number of @-mentions processed per message, allowing an authenticated attacker to crash the client applications of other users via large, crafted messages.
network
low complexity
mattermost CWE-770
4.3