Vulnerabilities > Mattermost > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-11-27 | CVE-2023-47168 | Open Redirect vulnerability in Mattermost Mattermost fails to properly check a redirect URL parameter allowing for an open redirect was possible when the user clicked "Back to Mattermost" after providing a invalid custom url scheme in /oauth/{service}/mobile_login?redirect_to= | 6.1 |
| 2023-11-27 | CVE-2023-48369 | Resource Exhaustion vulnerability in Mattermost Mattermost fails to limit the log size of server logs allowing an attacker sending specially crafted requests to different endpoints to potentially overflow the log. | 5.3 |
| 2023-11-27 | CVE-2023-6202 | Unspecified vulnerability in Mattermost Mattermost fails to perform proper authorization in the /plugins/focalboard/api/v2/users endpoint allowing an attacker who is a guest user and knows the ID of another user to get their information (e.g. | 4.3 |
| 2023-11-27 | CVE-2023-47865 | Unspecified vulnerability in Mattermost Mattermost fails to check if hardened mode is enabled when overriding the username and/or the icon when posting a post. | 4.3 |
| 2023-11-06 | CVE-2023-5967 | Improper Check for Unusual or Exceptional Conditions vulnerability in Mattermost Mattermost fails to properly validate requests to the Calls plugin, allowing an attacker sending a request without a User Agent header to cause a panic and crash the Calls plugin | 4.3 |
| 2023-11-06 | CVE-2023-5968 | Improper Encoding or Escaping of Output vulnerability in Mattermost Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body. | 4.9 |
| 2023-11-06 | CVE-2023-5969 | Resource Exhaustion vulnerability in Mattermost Mattermost fails to properly sanitize the request to /api/v4/redirect_location allowing an attacker, sending a specially crafted request to /api/v4/redirect_location, to fill up the memory due to caching large items. | 5.3 |
| 2023-11-02 | CVE-2023-5875 | Unspecified vulnerability in Mattermost Desktop Mattermost Desktop fails to correctly handle permissions or prompt the user for consent on certain sensitive ones allowing media exploitation from a malicious mattermost server | 5.3 |
| 2023-11-02 | CVE-2023-5876 | Unspecified vulnerability in Mattermost Desktop Mattermost fails to properly validate a RegExp built off the server URL path, allowing an attacker in control of an enrolled server to mount a Denial Of Service. | 5.3 |
| 2023-10-17 | CVE-2023-5339 | Information Exposure Through Log Files vulnerability in Mattermost Desktop Mattermost Desktop fails to set an appropriate log level during initial run after fresh installation resulting in logging all keystrokes including password entry being logged. | 5.5 |