Filtered by vendor Mattermost
Subscriptions
Total
453 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-5270 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-09-30 | 4.3 Medium |
| Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to check if the email signup configuration option is enabled when a user requests to switch from SAML to Email. This allows the user to switch their authentication mail from SAML to email and possibly edit personal details that were otherwise non-editable and provided by the SAML provider. | ||||
| CVE-2024-36255 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-09-30 | 5.7 Medium |
| Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper input validation on post actions which allows an attacker to run a playbook checklist task command as another user via creating and sharing a deceptive post action that unexpectedly runs a slash command in some arbitrary channel. | ||||
| CVE-2024-36241 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-09-30 | 3.1 Low |
| Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to enforce proper access controls which allows user to view arbitrary post contents via the /playbook add slash command | ||||
| CVE-2024-34152 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-09-30 | 4.3 Medium |
| Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper access control which allows a guest to get the metadata of a public playbook run that linked to the channel they are guest via sending an RHSRuns GraphQL query request to the server | ||||
| CVE-2024-34029 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-09-30 | 4.3 Medium |
| Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1 and 8.1.x <= 8.1.12 fail to perform a proper authorization check in the /api/v4/groups/<group-id>/channels/<channel-id>/link endpoint which allows a user to learn the members of an AD/LDAP group that is linked to a team by adding the group to a channel, even if the user has no access to the team. | ||||
| CVE-2024-32045 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-09-30 | 5.9 Medium |
| Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to enforce proper access controls for channel and team membership when linking a playbook run to a channel which allows members to link their runs to private channels they were not members of. | ||||
| CVE-2024-31859 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-09-30 | 4.3 Medium |
| Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper authorization checks which allows a member running a playbook in an existing channel to be promoted to a channel admin | ||||
| CVE-2025-31363 | 1 Mattermost | 1 Mattermost Server | 2025-09-29 | 3 Low |
| Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.9 fail to restrict domains the LLM can request to contact upstream which allows an authenticated user to exfiltrate data from an arbitrary server accessible to the victim via performing a prompt injection in the AI plugin's Jira tool. | ||||
| CVE-2025-2564 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-09-29 | 4.3 Medium |
| Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to properly enforce the 'Allow users to view/update archived channels' System Console setting, which allows authenticated users to view members and member information of archived channels even when this setting is disabled. | ||||
| CVE-2025-35965 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-09-29 | 6.5 Medium |
| Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, which allows an attacker to create task items containing an excessive number of actions triggered by specific posts, overloading the server and leading to a denial-of-service (DoS) condition. | ||||
| CVE-2025-41423 | 1 Mattermost | 2 Mattermost Server, Playbooks | 2025-09-29 | 3.1 Low |
| Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate permissions for the API endpoint /plugins/playbooks/api/v0/signal/keywords/ignore-thread, allowing any user or attacker to delete posts containing actions created by the Playbooks bot, even without channel access or appropriate permissions. | ||||
| CVE-2025-3446 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-09-29 | 4.3 Medium |
| Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to check the correct permissions which allows authenticated users who only have permission to invite non-guest users to a team to add guest users to that team via the API to add a single user to a team. | ||||
| CVE-2025-0503 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-09-29 | 3.1 Low |
| Mattermost versions 9.11.x <= 9.11.6 fail to filter out DMs from the deleted channels endpoint which allows an attacker to infer user IDs and other metadata from deleted DMs if someone had manually marked DMs as deleted in the database. | ||||
| CVE-2025-22449 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-09-29 | 3.8 Low |
| Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allow_open_invite" field via making their team public. | ||||
| CVE-2024-50052 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-09-29 | 4.3 Medium |
| Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to check that the origin of the message in an integration action matches with the original post metadata which allows an authenticated user to delete an arbitrary post. | ||||
| CVE-2024-47401 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-09-29 | 4.3 Medium |
| Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1 and 9.5.x <= 9.5.9 fail to prevent detailed error messages from being displayed in Playbooks which allows an attacker to generate a large response and cause an amplified GraphQL response which in turn could cause the application to crash by sending a specially crafted request to Playbooks. | ||||
| CVE-2024-9155 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-09-29 | 4.3 Medium |
| Mattermost versions 9.10.x <= 9.10.1, 9.9.x <= 9.9.2, 9.5.x <= 9.5.8 fail to limit access to channels files that have not been linked to a post which allows an attacker to view them in channels that they are a member of. | ||||
| CVE-2025-9079 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-09-25 | 8 High |
| Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin upload to prepackaged plugins directory | ||||
| CVE-2025-9081 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-09-25 | 3.1 Low |
| Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration | ||||
| CVE-2025-54458 | 1 Mattermost | 2 Confluence, Mattermost | 2025-09-25 | 5 Medium |
| Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the Confluence space which allows attackers to create a subscription for a Confluence space the user does not have access to via the create subscription endpoint. | ||||