Filtered by vendor Mattermost
Subscribe
Total
435 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-24866 | 1 Mattermost | 1 Mattermost Server | 2025-10-01 | N/A | 2.7 LOW |
| Mattermost versions 9.11.x <= 9.11.8 fail to enforce proper access controls on the /api/v4/audits endpoint, allowing users with delegated granular administration roles who lack access to Compliance Monitoring to retrieve User Activity Logs. | |||||
| CVE-2025-1472 | 1 Mattermost | 1 Mattermost Server | 2025-10-01 | N/A | 4.3 MEDIUM |
| Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics. | |||||
| CVE-2025-24526 | 1 Mattermost | 1 Mattermost Server | 2025-10-01 | N/A | 4.3 MEDIUM |
| Mattermost versions 10.1.x <= 10.1.3, 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to restrict channel export of archived channels when the "Allow users to view archived channels" is disabled which allows a user to export channel contents when they shouldn't have access to it | |||||
| CVE-2025-24490 | 1 Mattermost | 1 Mattermost Server | 2025-10-01 | N/A | 9.6 CRITICAL |
| Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to use prepared statements in the SQL query of boards reordering which allows an attacker to retrieve data from the database, via a SQL injection when reordering specially crafted boards categories. | |||||
| CVE-2025-1412 | 1 Mattermost | 1 Mattermost Server | 2025-10-01 | N/A | 3.1 LOW |
| Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on the permissions granted to the bot. | |||||
| CVE-2025-20621 | 1 Mattermost | 1 Mattermost Server | 2025-10-01 | N/A | 6.5 MEDIUM |
| Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the webapp to crash via creating and sending such a post to a channel. | |||||
| CVE-2024-10241 | 1 Mattermost | 1 Mattermost Server | 2025-09-30 | N/A | 4.3 MEDIUM |
| Mattermost versions 9.5.x <= 9.5.9 fail to properly filter the channel data when ElasticSearch is enabled which allows a user to get private channel names by using cmd+K/ctrl+K. | |||||
| CVE-2025-21088 | 1 Mattermost | 1 Mattermost Server | 2025-09-30 | N/A | 6.5 MEDIUM |
| Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the frontend via crafted malicious input. | |||||
| CVE-2025-20086 | 1 Mattermost | 1 Mattermost Server | 2025-09-30 | N/A | 6.5 MEDIUM |
| Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post. | |||||
| CVE-2024-54682 | 1 Mattermost | 1 Mattermost Server | 2025-09-30 | N/A | 6.5 MEDIUM |
| Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file uploads which allows a user to cause a DoS via zip bomb by importing data in a team they are a team admin. | |||||
| CVE-2024-54083 | 1 Mattermost | 1 Mattermost Server | 2025-09-30 | N/A | 6.5 MEDIUM |
| Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to properly validate the type of callProps which allows a user to cause a client side (webapp and mobile) DoS to users of particular channels, by sending a specially crafted post. | |||||
| CVE-2024-5272 | 1 Mattermost | 1 Mattermost Server | 2025-09-30 | N/A | 4.3 MEDIUM |
| Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to restrict the audience of the "custom_playbooks_playbook_run_updated" webhook event, which allows a guest on a channel with a playbook run linked to see all the details of the playbook run when the run is marked by finished. | |||||
| CVE-2024-5270 | 1 Mattermost | 1 Mattermost Server | 2025-09-30 | N/A | 4.3 MEDIUM |
| Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to check if the email signup configuration option is enabled when a user requests to switch from SAML to Email. This allows the user to switch their authentication mail from SAML to email and possibly edit personal details that were otherwise non-editable and provided by the SAML provider. | |||||
| CVE-2024-36255 | 1 Mattermost | 1 Mattermost Server | 2025-09-30 | N/A | 5.7 MEDIUM |
| Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper input validation on post actions which allows an attacker to run a playbook checklist task command as another user via creating and sharing a deceptive post action that unexpectedly runs a slash command in some arbitrary channel. | |||||
| CVE-2024-36241 | 1 Mattermost | 1 Mattermost Server | 2025-09-30 | N/A | 3.1 LOW |
| Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to enforce proper access controls which allows user to view arbitrary post contents via the /playbook add slash command | |||||
| CVE-2024-34152 | 1 Mattermost | 1 Mattermost Server | 2025-09-30 | N/A | 4.3 MEDIUM |
| Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper access control which allows a guest to get the metadata of a public playbook run that linked to the channel they are guest via sending an RHSRuns GraphQL query request to the server | |||||
| CVE-2024-34029 | 1 Mattermost | 1 Mattermost Server | 2025-09-30 | N/A | 4.3 MEDIUM |
| Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1 and 8.1.x <= 8.1.12 fail to perform a proper authorization check in the /api/v4/groups/<group-id>/channels/<channel-id>/link endpoint which allows a user to learn the members of an AD/LDAP group that is linked to a team by adding the group to a channel, even if the user has no access to the team. | |||||
| CVE-2024-32045 | 1 Mattermost | 1 Mattermost Server | 2025-09-30 | N/A | 5.9 MEDIUM |
| Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to enforce proper access controls for channel and team membership when linking a playbook run to a channel which allows members to link their runs to private channels they were not members of. | |||||
| CVE-2024-31859 | 1 Mattermost | 1 Mattermost Server | 2025-09-30 | N/A | 4.3 MEDIUM |
| Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper authorization checks which allows a member running a playbook in an existing channel to be promoted to a channel admin | |||||
| CVE-2025-31363 | 1 Mattermost | 1 Mattermost Server | 2025-09-29 | N/A | 3.0 LOW |
| Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.9 fail to restrict domains the LLM can request to contact upstream which allows an authenticated user to exfiltrate data from an arbitrary server accessible to the victim via performing a prompt injection in the AI plugin's Jira tool. | |||||