Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Mattermost Subscribe
Total 194 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-18895 1 Mattermost 1 Mattermost Server 2020-06-26 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to obtain sensitive information (user statuses) via a REST API version 4 endpoint.
CVE-2017-18894 1 Mattermost 1 Mattermost Server 2020-06-26 5.5 MEDIUM 8.1 HIGH
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. Sometimes. resource-owner authorization is bypassed, allowing account takeover.
CVE-2017-18892 1 Mattermost 1 Mattermost Server 2020-06-26 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. E-mail templates can have a field in which HTML content is not neutralized.
CVE-2017-18911 1 Mattermost 1 Mattermost Server 2020-06-26 6.4 MEDIUM 9.1 CRITICAL
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. The X.509 certificate validation can be skipped for a TLS-based e-mail server.
CVE-2017-18915 1 Mattermost 1 Mattermost Server 2020-06-25 7.5 HIGH 9.8 CRITICAL
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. After a restart of a server, an attacker might suddenly gain API Endpoint access.
CVE-2017-18916 1 Mattermost 1 Mattermost Server 2020-06-25 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. API endpoint access control does not honor an integration permission restriction.
CVE-2017-18919 1 Mattermost 1 Mattermost Server 2020-06-25 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in Mattermost Server before 3.7.0 and 3.6.3. Attackers can use the API for unauthenticated team creation.
CVE-2017-18914 1 Mattermost 1 Mattermost Server 2020-06-25 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. An external link can occur on an error page even if it is not on an allowlist.
CVE-2015-9548 1 Mattermost 1 Mattermost Server 2020-06-25 5.0 MEDIUM 7.5 HIGH
An issue was discovered in Mattermost Server before 1.2.0. It allows attackers to cause a denial of service (memory consumption) via a small compressed file that has a large size when uncompressed.
CVE-2017-18893 1 Mattermost 1 Mattermost Server 2020-06-25 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. Display names allow XSS.
CVE-2017-18902 1 Mattermost 1 Mattermost Server 2020-06-25 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints.
CVE-2018-21263 1 Mattermost 1 Mattermost Server 2020-06-25 6.5 MEDIUM 8.8 HIGH
An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. An attacker could authenticate to a different user's account via a crafted SAML response.
CVE-2018-21260 1 Mattermost 1 Mattermost Server 2020-06-25 4.0 MEDIUM 2.7 LOW
An issue was discovered in Mattermost Server before 4.8.1, 4.7.4, and 4.6.3. WebSocket events were accidentally sent during certain user-management operations, violating user privacy.
CVE-2017-18908 1 Mattermost 1 Mattermost Server 2020-06-25 7.5 HIGH 9.8 CRITICAL
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. A password-reset request was sometime sent to an attacker-provided e-mail address.
CVE-2020-14456 1 Mattermost 1 Mattermost Desktop 2020-06-25 7.5 HIGH 7.3 HIGH
An issue was discovered in Mattermost Desktop App before 4.4.0. The Same Origin Policy is mishandled during access-control decisions for web APIs, aka MMSA-2020-0006.
CVE-2020-14455 1 Mattermost 1 Mattermost Desktop 2020-06-25 4.3 MEDIUM 6.5 MEDIUM
An issue was discovered in Mattermost Desktop App before 4.4.0. Prompting for HTTP Basic Authentication is mishandled, allowing phishing, aka MMSA-2020-0007.
CVE-2020-14454 1 Mattermost 1 Mattermost Desktop 2020-06-25 5.8 MEDIUM 6.1 MEDIUM
An issue was discovered in Mattermost Desktop App before 4.4.0. Attackers can open web pages in the desktop application because server redirection is mishandled, aka MMSA-2020-0008.
CVE-2019-20847 1 Mattermost 1 Mattermost Server 2020-06-25 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in Mattermost Server before 5.18.0. An attacker can send a user_typing WebSocket event to any channel.
CVE-2016-11075 1 Mattermost 1 Mattermost Server 2020-06-25 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in Mattermost Server before 3.0.0. It allows attackers to obtain sensitive information about team URLs via an API.
CVE-2016-11077 1 Mattermost 1 Mattermost Server 2020-06-25 4.0 MEDIUM 2.7 LOW
An issue was discovered in Mattermost Server before 3.0.0. It has a superfluous API in which the System Admin can change the account name and e-mail address of an LDAP account.