Vulnerabilities > Mattermost > Medium

DATE CVE VULNERABILITY TITLE RISK
2023-08-11 CVE-2023-4105 Missing Authorization vulnerability in Mattermost
Mattermost fails to delete the attachments when deleting a message in a thread allowing a simple user to still be able to access and download the attachment of a deleted message
network
low complexity
mattermost CWE-862
4.3
2023-08-11 CVE-2023-4106 Missing Authorization vulnerability in Mattermost
Mattermost fails to check if the requesting user is a guest before performing different actions to public playbooks, resulting a guest being able to view, join, edit, export and archive public playbooks.
network
low complexity
mattermost CWE-862
6.5
2023-08-11 CVE-2023-4107 Incorrect Authorization vulnerability in Mattermost
Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin's details such as email, first name and last name.
network
low complexity
mattermost CWE-863
6.5
2023-07-17 CVE-2023-3577 Server-Side Request Forgery (SSRF) vulnerability in Mattermost Server
Mattermost fails to properly restrict requests to localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited blind SSRF.
network
low complexity
mattermost CWE-918
4.3
2023-07-17 CVE-2023-3582 Incorrect Authorization vulnerability in Mattermost Server
Mattermost fails to verify channel membership when linking a board to a channel allowing a low-privileged authenticated user to link a Board to a private channel they don't have access to, 
network
low complexity
mattermost CWE-863
4.3
2023-07-17 CVE-2023-3585 Resource Exhaustion vulnerability in Mattermost Server
Mattermost Boards fail to properly validate a board link, allowing an attacker to crash a channel by posting a specially crafted boards link.
network
low complexity
mattermost CWE-400
4.3
2023-07-17 CVE-2023-3586 Incorrect Authorization vulnerability in Mattermost Server
Mattermost fails to disable public Boards after the "Enable Publicly-Shared Boards" configuration option is disabled, resulting in previously-shared public Boards to remain accessible.
network
low complexity
mattermost CWE-863
5.4
2023-07-17 CVE-2023-3593 Unspecified vulnerability in Mattermost Server
Mattermost fails to properly validate markdown, allowing an attacker to crash the server via a specially crafted markdown input.
network
low complexity
mattermost
6.5
2023-06-16 CVE-2023-2785 Resource Exhaustion vulnerability in Mattermost
Mattermost fails to properly truncate the postgres error log message of a search query failure allowing an attacker to cause the creation of large log files which can result in Denial of Service
network
low complexity
mattermost CWE-400
4.3
2023-06-16 CVE-2023-2792 Unspecified vulnerability in Mattermost
Mattermost fails to sanitize ephemeral error messages, allowing an attacker to obtain arbitrary message contents by a specially crafted /groupmsg command.
network
low complexity
mattermost
6.5