Filtered by vendor Mattermost
Subscribe
Total
499 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-54682 | 1 Mattermost | 1 Mattermost Server | 2025-09-30 | N/A | 6.5 MEDIUM |
|
Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file uploads which allows a user to cause a DoS via zip bomb by importing data in a team they are a team admin.
|
|||||
| CVE-2024-54083 | 1 Mattermost | 1 Mattermost Server | 2025-09-30 | N/A | 6.5 MEDIUM |
|
Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to properly validate the type of callProps which allows a user to cause a client side (webapp and mobile) DoS to users of particular channels, by sending a specially crafted post.
|
|||||
| CVE-2024-5272 | 1 Mattermost | 1 Mattermost Server | 2025-09-30 | N/A | 4.3 MEDIUM |
|
Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to restrict the audience of the "custom_playbooks_playbook_run_updated" webhook event, which allows a guest on a channel with a playbook run linked to see all the details of the playbook run when the run is marked by finished.
|
|||||
| CVE-2024-5270 | 1 Mattermost | 1 Mattermost Server | 2025-09-30 | N/A | 4.3 MEDIUM |
|
Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to check if the email signup configuration option is enabled when a user requests to switch from SAML to Email. This allows the user to switch their authentication mail from SAML to email and possibly edit personal details that were otherwise non-editable and provided by the SAML provider.
|
|||||
| CVE-2024-36255 | 1 Mattermost | 1 Mattermost Server | 2025-09-30 | N/A | 5.7 MEDIUM |
|
Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper input validation on post actions which allows an attacker to run a playbook checklist task command as another user via creating and sharing a deceptive post action that unexpectedly runs a slash command in some arbitrary channel.
|
|||||
| CVE-2024-36241 | 1 Mattermost | 1 Mattermost Server | 2025-09-30 | N/A | 3.1 LOW |
|
Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to enforce proper access controls which allows user to view arbitrary post contents via the /playbook add slash command
|
|||||
| CVE-2024-34152 | 1 Mattermost | 1 Mattermost Server | 2025-09-30 | N/A | 4.3 MEDIUM |
|
Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper access control which allows a guest to get the metadata of a public playbook run that linked to the channel they are guest via sending an RHSRuns GraphQL query request to the server
|
|||||
| CVE-2024-34029 | 1 Mattermost | 1 Mattermost Server | 2025-09-30 | N/A | 4.3 MEDIUM |
|
Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1 and 8.1.x <= 8.1.12 fail to perform a proper authorization check in the /api/v4/groups/<group-id>/channels/<channel-id>/link endpoint which allows a user to learn the members of an AD/LDAP group that is linked to a team by adding the group to a channel, even if the user has no access to the team.
|
|||||
| CVE-2024-32045 | 1 Mattermost | 1 Mattermost Server | 2025-09-30 | N/A | 5.9 MEDIUM |
|
Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to enforce proper access controls for channel and team membership when linking a playbook run to a channel which allows members to link their runs to private channels they were not members of.
|
|||||
| CVE-2024-31859 | 1 Mattermost | 1 Mattermost Server | 2025-09-30 | N/A | 4.3 MEDIUM |
|
Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper authorization checks which allows a member running a playbook in an existing channel to be promoted to a channel admin
|
|||||
| CVE-2025-31363 | 1 Mattermost | 1 Mattermost Server | 2025-09-29 | N/A | 3.0 LOW |
|
Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.9 fail to restrict domains the LLM can request to contact upstream which allows an authenticated user to exfiltrate data from an arbitrary server accessible to the victim via performing a prompt injection in the AI plugin's Jira tool.
|
|||||
| CVE-2025-2564 | 1 Mattermost | 1 Mattermost Server | 2025-09-29 | N/A | 4.3 MEDIUM |
|
Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to properly enforce the 'Allow users to view/update archived channels' System Console setting, which allows authenticated users to view members and member information of archived channels even when this setting is disabled.
|
|||||
| CVE-2025-35965 | 1 Mattermost | 1 Mattermost Server | 2025-09-29 | N/A | 6.5 MEDIUM |
|
Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, which allows an attacker to create task items containing an excessive number of actions triggered by specific posts, overloading the server and leading to a denial-of-service (DoS) condition.
|
|||||
| CVE-2025-41423 | 1 Mattermost | 1 Mattermost Server | 2025-09-29 | N/A | 3.1 LOW |
|
Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate permissions for the API endpoint /plugins/playbooks/api/v0/signal/keywords/ignore-thread, allowing any user or attacker to delete posts containing actions created by the Playbooks bot, even without channel access or appropriate permissions.
|
|||||
| CVE-2025-3446 | 1 Mattermost | 1 Mattermost Server | 2025-09-29 | N/A | 4.3 MEDIUM |
|
Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to check the correct permissions which allows authenticated users who only have permission to invite non-guest users to a team to add guest users to that team via the API to add a single user to a team.
|
|||||
| CVE-2025-0503 | 1 Mattermost | 1 Mattermost Server | 2025-09-29 | N/A | 3.1 LOW |
|
Mattermost versions 9.11.x <= 9.11.6 fail to filter out DMs from the deleted channels endpoint which allows an attacker to infer user IDs and other metadata from deleted DMs if someone had manually marked DMs as deleted in the database.
|
|||||
| CVE-2025-22449 | 1 Mattermost | 1 Mattermost Server | 2025-09-29 | N/A | 3.8 LOW |
|
Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allow_open_invite" field via making their team public.
|
|||||
| CVE-2024-50052 | 1 Mattermost | 1 Mattermost Server | 2025-09-29 | N/A | 4.3 MEDIUM |
|
Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to check that the origin of the message in an integration action matches with the original post metadata which allows an authenticated user to delete an arbitrary post.
|
|||||
| CVE-2024-47401 | 1 Mattermost | 1 Mattermost Server | 2025-09-29 | N/A | 4.3 MEDIUM |
|
Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1 and 9.5.x <= 9.5.9 fail to prevent detailed error messages from being displayed in Playbooks which allows an attacker to generate a large response and cause an amplified GraphQL response which in turn could cause the application to crash by sending a specially crafted request to Playbooks.
|
|||||
| CVE-2024-9155 | 1 Mattermost | 1 Mattermost Server | 2025-09-29 | N/A | 4.3 MEDIUM |
|
Mattermost versions 9.10.x <= 9.10.1, 9.9.x <= 9.9.2, 9.5.x <= 9.5.8 fail to limit access to channels files that have not been linked to a post which allows an attacker to view them in channels that they are a member of.
|
|||||
| CVE-2025-9079 | 1 Mattermost | 1 Mattermost Server | 2025-09-25 | N/A | 8.0 HIGH |
|
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin upload to prepackaged plugins directory
|
|||||
| CVE-2025-9081 | 1 Mattermost | 1 Mattermost Server | 2025-09-25 | N/A | 3.1 LOW |
|
Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration
|
|||||
| CVE-2025-54458 | 1 Mattermost | 1 Confluence | 2025-09-25 | N/A | 5.0 MEDIUM |
|
Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the Confluence space which allows attackers to create a subscription for a Confluence space the user does not have access to via the create subscription endpoint.
|
|||||
| CVE-2025-1558 | 1 Mattermost | 1 Mattermost Mobile | 2025-09-25 | N/A | 6.5 MEDIUM |
|
Mattermost Mobile Apps versions <=2.25.0 fail to properly validate GIF images prior to rendering which allows a malicious user to cause the Android application to crash via message containing a maliciously crafted GIF.
|
|||||
| CVE-2025-1398 | 2 Apple, Mattermost | 2 Macos, Mattermost Desktop | 2025-09-25 | N/A | 3.3 LOW |
|
Mattermost Desktop App versions <=5.10.0 explicitly declared unnecessary macOS entitlements which allows an attacker with remote access to bypass Transparency, Consent, and Control (TCC) via code injection.
|
|||||
| CVE-2025-21083 | 1 Mattermost | 1 Mattermost Mobile | 2025-09-25 | N/A | 6.5 MEDIUM |
|
Mattermost Mobile Apps versions <=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.
|
|||||
| CVE-2025-20036 | 1 Mattermost | 1 Mattermost Mobile | 2025-09-25 | N/A | 6.5 MEDIUM |
|
Mattermost Mobile Apps versions <=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.
|
|||||
| CVE-2025-53910 | 1 Mattermost | 1 Confluence | 2025-09-25 | N/A | 4.0 MEDIUM |
|
Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to create a channel subscription without proper access to the channel via API call to the edit channel subscription endpoint.
|
|||||
| CVE-2025-53857 | 1 Mattermost | 1 Confluence | 2025-09-25 | N/A | 3.7 LOW |
|
Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to get channel subscription details without proper access to the channel via API call to the GET autocomplete/GetChannelSubscriptions endpoint.
|
|||||
| CVE-2025-53514 | 1 Mattermost | 1 Confluence | 2025-09-25 | N/A | 5.9 MEDIUM |
|
Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to server webhook endpoint with an invalid request body.
|
|||||
| CVE-2025-48731 | 1 Mattermost | 1 Confluence | 2025-09-25 | N/A | 6.4 MEDIUM |
|
Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the Confluence space which allows attackers to edit a subscription for a Confluence space the user does not have access for via edit subscription endpoint.
|
|||||
| CVE-2025-44004 | 1 Mattermost | 1 Confluence | 2025-09-25 | N/A | 7.2 HIGH |
|
Mattermost Confluence Plugin version <1.5.0 fails to check the authorization of the user to the Mattermost instance which allows attackers to create a channel subscription without proper authorization via API call to the create channel subscription endpoint.
|
|||||
| CVE-2025-52931 | 1 Mattermost | 1 Confluence | 2025-09-25 | N/A | 7.5 HIGH |
|
Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to update channel subscription endpoint with an invalid request body.
|
|||||
| CVE-2025-44001 | 1 Mattermost | 1 Confluence | 2025-09-25 | N/A | 4.0 MEDIUM |
|
Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to get channel subscription details without proper access to the channel via API call to the Get Channel Subscriptions details endpoint.
|
|||||
| CVE-2025-49221 | 1 Mattermost | 1 Confluence | 2025-09-24 | N/A | 3.7 LOW |
|
Mattermost Confluence Plugin version <1.5.0 fails to enforce authentication of the user to the Mattermost instance which allows unauthenticated attackers to access subscription details without via API call to GET subscription endpoint.
|
|||||
| CVE-2024-11358 | 2 Google, Mattermost | 2 Android, Mattermost Mobile | 2025-09-24 | N/A | 5.7 MEDIUM |
|
Mattermost Android Mobile Apps versions <=2.21.0 fail to properly configure file providers which allows an attacker with local access to access files via file provider.
|
|||||
| CVE-2025-0476 | 1 Mattermost | 1 Mattermost Mobile | 2025-09-24 | N/A | 4.3 MEDIUM |
|
Mattermost Mobile Apps versions <=2.22.0 fail to properly handle specially crafted attachment names, which allows an attacker to crash the mobile app for any user who opened a channel containing the specially crafted attachment
|
|||||
| CVE-2025-20072 | 1 Mattermost | 1 Mattermost Mobile | 2025-09-24 | N/A | 6.5 MEDIUM |
|
Mattermost Mobile versions <= 2.22.0 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the mobile via crafted malicious input.
|
|||||
| CVE-2025-20630 | 1 Mattermost | 1 Mattermost Mobile | 2025-09-24 | N/A | 6.5 MEDIUM |
|
Mattermost Mobile versions <=2.22.0 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the mobile to crash via creating and sending such a post to a channel.
|
|||||
| CVE-2025-30516 | 1 Mattermost | 1 Mattermost Mobile | 2025-09-24 | N/A | 2.0 LOW |
|
Mattermost Mobile Apps versions <=2.25.0 fail to terminate sessions during logout under certain conditions (e.g. poor connectivity), allowing unauthorized users on shared devices to access sensitive notification content via continued mobile notifications
|
|||||