Total
199 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2017-18908 | 1 Mattermost | 1 Mattermost Server | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. A password-reset request was sometime sent to an attacker-provided e-mail address. | |||||
CVE-2018-21264 | 1 Mattermost | 1 Mattermost Server | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. It did not enforce the expiration date of a SAML response. | |||||
CVE-2017-18914 | 1 Mattermost | 1 Mattermost Server | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. An external link can occur on an error page even if it is not on an allowlist. | |||||
CVE-2017-18902 | 1 Mattermost | 1 Mattermost Server | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints. | |||||
CVE-2020-14460 | 1 Mattermost | 1 Mattermost Server | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
An issue was discovered in Mattermost Server before 5.19.0, 5.18.1, 5.17.3, 5.16.5, and 5.9.8. Creation of a trusted OAuth application does not always require admin privileges, aka MMSA-2020-0001. | |||||
CVE-2017-18901 | 1 Mattermost | 1 Mattermost Server | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover a team invite ID by requesting a JSON document. | |||||
CVE-2017-18876 | 1 Mattermost | 1 Mattermost Server | 2023-12-10 | 4.0 MEDIUM | 4.9 MEDIUM |
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can test for the existence of an arbitrary file. | |||||
CVE-2018-21251 | 1 Mattermost | 1 Mattermost Server | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered in Mattermost Server before 5.2 and 5.1.1. Authorization could be bypassed if the channel name were not the same in the params and the body. | |||||
CVE-2019-20889 | 1 Mattermost | 1 Mattermost Server | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It mishandles permissions for user-access token creation. | |||||
CVE-2017-18879 | 1 Mattermost | 1 Mattermost Server | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via the author_link field of a Slack attachment. | |||||
CVE-2017-18888 | 1 Mattermost | 1 Mattermost Server | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows SQL injection during the fetching of multiple posts. | |||||
CVE-2019-20842 | 1 Mattermost | 1 Mattermost Server | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. There is SQL injection by admins via SearchAllChannels. | |||||
CVE-2018-21255 | 1 Mattermost | 1 Mattermost Server | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
An issue was discovered in Mattermost Server before 5.1. Non-members of a channel could use the Channel PATCH API to modify that channel. | |||||
CVE-2019-20884 | 1 Mattermost | 1 Mattermost Server | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
An issue was discovered in Mattermost Server before 5.8.0. It allows attackers to partially attach a file to more than one post. | |||||
CVE-2016-11077 | 1 Mattermost | 1 Mattermost Server | 2023-12-10 | 4.0 MEDIUM | 2.7 LOW |
An issue was discovered in Mattermost Server before 3.0.0. It has a superfluous API in which the System Admin can change the account name and e-mail address of an LDAP account. | |||||
CVE-2020-14453 | 1 Mattermost | 1 Mattermost Server | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in Mattermost Server before 5.21.0. Socket read operations are not appropriately restricted, which allows attackers to cause a denial of service, aka MMSA-2020-0005. | |||||
CVE-2016-11070 | 1 Mattermost | 1 Mattermost Server | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
An issue was discovered in Mattermost Server before 3.1.0. It allows XSS via theme color-code values. | |||||
CVE-2017-18884 | 1 Mattermost | 1 Mattermost Server | 2023-12-10 | 5.5 MEDIUM | 8.1 HIGH |
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by using a registered OAuth application with personal access tokens. | |||||
CVE-2017-18921 | 1 Mattermost | 1 Mattermost Server | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
An issue was discovered in Mattermost Server before 3.6.0 and 3.5.2. XSS can occur via a link on an error page. | |||||
CVE-2020-14458 | 1 Mattermost | 1 Mattermost Server | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in Mattermost Server before 5.19.0. Attackers can discover private channels via the "get channel by name" API, aka MMSA-2020-0004. |