Vulnerabilities > Mattermost > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-10-17 | CVE-2023-5522 | Unspecified vulnerability in Mattermost Mattermost Mobile fails to limit the maximum number of Markdown elements in a post allowing an attacker to send a post with hundreds of emojis to a channel and freeze the mobile app of users when viewing that particular channel. | 4.3 |
| 2023-10-09 | CVE-2023-5331 | Missing Authorization vulnerability in Mattermost Server Mattermost fails to properly check the creator of an attached file when adding the file to a draft post, potentially exposing unauthorized file information. | 5.3 |
| 2023-10-09 | CVE-2023-5333 | Unspecified vulnerability in Mattermost Server Mattermost fails to deduplicate input IDs allowing a simple user to cause the application to consume excessive resources and possibly crash by sending a specially crafted request to /api/v4/users/ids with multiple identical IDs. | 6.5 |
| 2023-10-02 | CVE-2023-5160 | Unspecified vulnerability in Mattermost Mattermost fails to check the Show Full Name option at the /api/v4/teams/TEAM_ID/top/team_members endpoint allowing a member to get the full name of another user even if the Show Full Name option was disabled | 4.3 |
| 2023-09-29 | CVE-2023-5194 | Incorrect Authorization vulnerability in Mattermost Mattermost fails to properly validate permissions when demoting and deactivating a user allowing for a system/user manager to demote / deactivate another manager | 4.3 |
| 2023-09-29 | CVE-2023-5195 | Incorrect Authorization vulnerability in Mattermost Mattermost fails to properly validate the permissions when soft deleting a team allowing a team member to soft delete other teams that they are not part of | 5.4 |
| 2023-09-29 | CVE-2023-5196 | Resource Exhaustion vulnerability in Mattermost Mattermost fails to enforce character limits in all possible notification props allowing an attacker to send a really long value for a notification_prop resulting in the server consuming an abnormal quantity of computing resources and possibly becoming temporarily unavailable for its users. | 6.5 |
| 2023-08-11 | CVE-2023-4105 | Missing Authorization vulnerability in Mattermost Mattermost fails to delete the attachments when deleting a message in a thread allowing a simple user to still be able to access and download the attachment of a deleted message | 4.3 |
| 2023-08-11 | CVE-2023-4106 | Missing Authorization vulnerability in Mattermost Mattermost fails to check if the requesting user is a guest before performing different actions to public playbooks, resulting a guest being able to view, join, edit, export and archive public playbooks. | 6.5 |
| 2023-08-11 | CVE-2023-4107 | Incorrect Authorization vulnerability in Mattermost Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin's details such as email, first name and last name. | 6.5 |